☁️AZ-104

Microsoft Azure Administrator — Complete Study Guide

This guide covers all 269+ concepts tested on the AZ-104 exam, across 5 official domains. Each concept includes a plain-English explanation, real-world examples, and enterprise use cases. AZ-104 is an intermediate-level certification requiring hands-on experience with Azure administration.

Open Interactive Study App →All Study Guides

About the AZ-104 Exam

The Microsoft Azure Administrator (AZ-104) validates skills in implementing, managing, and monitoring Azure environments. Candidates are expected to have a minimum of six months of hands-on experience administering Azure, along with a strong understanding of core Azure services, Azure workloads, security, and governance.

AZ-104 is a prerequisite or recommended step before pursuing expert-level certifications such as AZ-305 (Azure Solutions Architect Expert) or AZ-400 (Azure DevOps Engineer Expert). It builds on the fundamentals covered in AZ-900.

The exam includes multiple choice, drag-and-drop, case studies, and performance-based tasks (Azure portal simulations). Hands-on lab practice is essential — studying concepts alone is not sufficient for this exam.

Domain 1 — 15–20%

Manage Azure identities and governance

Azure AD, RBAC, resource management, policies, and governance frameworks

Domain 2 — 15–20%

Implement and manage storage

Storage accounts, blob storage, file shares, backup, and data protection

Domain 3 — 20–25%

Deploy and manage Azure compute resources

Virtual machines, app services, containers, and availability configurations

Domain 4 — 25–30%

Configure and manage virtual networking

Virtual networks, subnets, load balancing, and network security

Domain 5 — 10–15%

Monitor and maintain Azure resources

Azure Monitor, Log Analytics, alerts, cost management, and resource maintenance

Exam Tips & Common Traps

⚠RBAC scope: Roles assigned at a higher scope (subscription) are inherited by child scopes (resource groups, resources). Assignments at lower scopes add permissions, never remove them.
⚠Azure Policy vs. RBAC: RBAC controls WHO can take actions. Azure Policy controls WHAT actions are allowed on resources. Deny policy overrides RBAC Allow assignments.
⚠Storage redundancy: LRS (3 copies, 1 datacenter), ZRS (3 zones, 1 region), GRS (2 regions), GZRS (ZRS + GRS). Know when to use each based on the scenario.
⚠VM availability: Availability Sets protect against hardware failures within a datacenter. Availability Zones protect against entire datacenter failures. Zone = stronger SLA.
⚠NSG rule priority: Lower number = higher priority. Rules are evaluated in order. The default "DenyAllInbound" rule (priority 65500) blocks traffic not matched by earlier Allow rules.
⚠VNet peering: Peering is not transitive. If VNet A peers with B and B peers with C, A cannot reach C without a separate A↔C peering or a hub-spoke topology with a routing device.

All AZ-104 Concepts

269 concepts covering the full AZ-104 exam syllabus.

Azure Active Directory (Azure AD)

Explanation

Microsoft's cloud-based identity and access management service. It manages user identities, authenticates users, and provides authorization to access resources. Azure AD is different from on-premises Active Directory - it's designed for cloud and hybrid environments.

Examples

Single sign-on to Office 365, managing user access to Azure resources, integrating with third-party SaaS applications like Salesforce, implementing multi-factor authentication for enhanced security.

Enterprise Use Case

Organizations use Azure AD to centrally manage user identities across cloud and on-premises resources, enable secure remote access, and integrate with thousands of pre-configured SaaS applications.

Diagram

Azure AD Structure:
[User] --auth--> [Azure AD] --tokens--> [Applications]
   |                |                        |
[Groups]      [Conditional Access]    [Office 365]
   |                |                        |
[Roles]        [MFA Policies]         [Custom Apps]

Study this concept interactively in the AZ-104 app →

Role-Based Access Control (RBAC)

Explanation

A security model that grants access based on roles assigned to users. RBAC follows the principle of least privilege, giving users only the minimum access needed. It consists of security principals (who), role definitions (what actions), and scope (where).

Examples

Assigning "Virtual Machine Contributor" role to a developer for a specific resource group, giving "Reader" access to auditors for subscription-level monitoring, creating custom roles for specific business needs.

Enterprise Use Case

Enterprises use RBAC to manage access across large Azure environments, ensuring developers can manage their resources without affecting production systems, and auditors can view but not modify resources.

Diagram

RBAC Components:
Security Principal + Role Definition + Scope = Role Assignment
     (WHO)              (WHAT)         (WHERE)
      
[User/Group] --> [Built-in/Custom Role] --> [Management Group]
                                                    |
                                              [Subscription]
                                                    |
                                            [Resource Group]
                                                    |
                                               [Resource]

Study this concept interactively in the AZ-104 app →

Azure Policy

Explanation

A service that enforces organizational standards and compliance requirements across Azure resources. Policies evaluate resources against business rules and can automatically remediate non-compliant resources. They work at the resource group, subscription, or management group level.

Examples

Preventing creation of expensive VM sizes, enforcing specific naming conventions, requiring tags on resources, ensuring encryption is enabled on storage accounts, restricting resource deployment to specific regions.

Enterprise Use Case

Organizations use Azure Policy to maintain governance at scale, ensure compliance with security standards, control costs by restricting expensive resources, and maintain consistent resource configurations.

Diagram

Azure Policy Governance Framework:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    📋 POLICY LIFECYCLE                         │
    └─┬───────────────────────────────────────────────────────────┬───┘
      │                                                           │
      ▼                                                           ▼
    ┌─────────────────────┐    ┌─────────────────────────────────────┐
    │   📝 DEFINE          │    │           🎯 ASSIGN                │
    │                     │    │                                     │
    │ {                   │───►│  Scope Selection:                   │
    │   "mode": "Indexed",│    │  ┌─────────────────────────────────┐│
    │   "policyRule": {   │    │  │🏢 Management Group              ││
    │     "if": {         │    │  │  └─💳 Subscription              ││
    │       "field":      │    │  │     └─📁 Resource Group        ││
    │       "type",       │    │  │        └─🖥️ Individual Resource││
    │       "equals": "VM"│    │  └─────────────────────────────────┘│
    │     },              │    │                                     │
    │     "then": {       │    │  Parameters: {"allowedSizes":       │
    │       "effect":     │    │              ["Standard_B2s"]}      │
    │       "deny"        │    │                                     │
    │     }               │    └─────────────────┬───────────────────┘
    │   }                 │                      │
    │ }                   │                      ▼
    └─────────────────────┘            ┌─────────────────────┐
                                       │    ⚖️ EVALUATE       │
                                       │                     │
    ┌─────────────────────┐            │  🔍 Continuous      │
    │   📊 MONITOR         │◄───────────│     Scanning        │
    │                     │            │                     │
    │ Compliance Dashboard│            │  Real-time:         │
    │ ┌─────────────────┐ │            │  • Resource create  │
    │ │✅ Compliant: 85%│ │            │  • Resource update  │
    │ │❌ Non-compliant │ │            │  • Policy change    │
    │ │   15%           │ │            │                     │
    │ └─────────────────┘ │            │  Batch:             │
    │                     │            │  • Daily scan       │
    │ 🚨 Alerts & Reports │            │  • On-demand        │
    │ 📈 Trends & History │            └──┬──────────────────┘
    └─────────────────────┘               │
              ▲                           ▼
              │                 ┌─────────────────────┐
              │                 │   ⚡ ENFORCE         │
              │                 │                     │
              └─────────────────│ Policy Effects:     │
                                │                     │
                                │ 🚫 DENY             │
                                │ └─ Block deployment │
                                │                     │
                                │ 📋 AUDIT            │
                                │ └─ Log compliance   │
                                │                     │
                                │ 🔧 MODIFY           │
                                │ └─ Auto-remediate   │
                                │                     │
                                │ 🏗️ DEPLOYIFNOTEXISTS│
                                │ └─ Create resource  │
                                └─────────────────────┘

    Common Policy Examples:
    ──────────────────────
    🔒 "Require HTTPS only for storage accounts"
    💰 "Allowed VM sizes: Standard_B2s, Standard_D2s_v3"  
    🏷️ "Require 'Environment' tag on all resources"
    🌍 "Allow resources only in East US 2, West US 2"
    🔐 "Deploy backup on all VMs automatically"

Study this concept interactively in the AZ-104 app →

Manage Costs using Alerts, Budgets, and Azure Advisor

Explanation

Azure provides comprehensive cost management tools including budgets (spending limits with alerts), cost alerts (proactive notifications), and Azure Advisor (AI-driven recommendations). These tools help control spending, optimize resources, and prevent bill shock.

Examples

Setting up monthly budgets with 80% and 100% alerts, configuring anomaly detection for unusual spending, reviewing Advisor recommendations to resize or shut down underutilized VMs, using cost analysis to identify expensive resources.

Enterprise Use Case

Organizations use cost management to control cloud spending, prevent budget overruns, optimize resource allocation, track departmental costs through tags, and implement financial governance across teams.

Diagram

Azure Cost Management Ecosystem:

┌─────────────────────────────────────────────────────────────────┐
│                    💰 COST MANAGEMENT CENTER                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│     📊 BUDGETS      │    │           🚨 ALERTS                │
│                     │    │                                     │
│ Monthly Budget:     │    │  Types:                             │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │💳 $1000/month   │ │───►│  │📧 Budget alerts (80%, 100%)    ││
│ │📈 80% = $800    │ │    │  │🔔 Anomaly detection             ││
│ │🚨 100% = $1000  │ │    │  │📊 Cost threshold breaches      ││
│ │🏷️ Scope: RG     │ │    │  │🎯 Action groups (email/SMS)    ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Forecast: $1200     │    │  Notifications:                     │
│ Status: ⚠️ Over     │    │  • Finance team alerts             │
└─────────────────────┘    │  • Auto-shutdown policies          │
                           └─────────────────────────────────────┘
              │                              │
              ▼                              ▼
    ┌─────────────────────┐        ┌─────────────────────┐
    │   🎯 AZURE ADVISOR  │        │   📈 COST ANALYSIS  │
    │                     │        │                     │
    │ Recommendations:    │        │ Views:              │
    │ ┌─────────────────┐ │        │ ┌─────────────────┐ │
    │ │💡 Resize VMs    │ │        │ │📊 By resource   │ │
    │ │🔄 Right-size    │ │        │ │🏷️ By tags       │ │
    │ │💾 Reserved inst.│ │        │ │📅 Time trends   │ │
    │ │🗑️ Delete unused │ │        │ │🏢 By department │ │
    │ └─────────────────┘ │        │ └─────────────────┘ │
    │                     │        │                     │
    │ Potential Savings:  │        │ Filters & Grouping: │
    │ 💰 $300/month      │        │ • Service type      │
    └─────────────────────┘        │ • Location          │
                                   │ • Billing period    │
                                   └─────────────────────┘

Implementation Commands:
─────────────────────────
🖥️  Portal: Cost Management + Billing
💻  CLI: az consumption budget create
⚡  PowerShell: New-AzConsumptionBudget

Study this concept interactively in the AZ-104 app →

Configure Management Groups

Explanation

Management Groups provide hierarchical organization above subscriptions, allowing policy and access management at scale. They support up to 6 levels of depth and can contain other management groups or subscriptions. Each tenant has a root management group.

Examples

Organizing by business units (Production, Development, HR), applying corporate policies at the root level, delegating department-level access control, implementing different security policies per environment.

Enterprise Use Case

Large enterprises use management groups to organize hundreds of subscriptions, apply governance policies consistently, delegate management to business units, and implement hierarchical access control structures.

Diagram

Management Group Hierarchy Structure:

┌─────────────────────────────────────────────────────────────────┐
│                     🏢 ROOT MANAGEMENT GROUP                    │
│                    (Tenant Root Group)                         │
│                                                                 │
│ Policies Applied:                                               │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │🔐 "Require MFA for all users"                              │ │
│ │🌍 "Allow resources only in approved regions"               │ │
│ │🏷️ "Require cost center tag on all resources"               │ │
│ └─────────────────────────────────────────────────────────────┘ │
└─┬─────────────────────────────────┬─────────────────────────────┘
  │                                 │
  ▼                                 ▼
┌─────────────────────────────────┐ ┌─────────────────────────────────┐
│        🏭 PRODUCTION MG         │ │       🧪 NON-PRODUCTION MG      │
│                                 │ │                                 │
│ Additional Policies:            │ │ Additional Policies:            │
│ ┌─────────────────────────────┐ │ │ ┌─────────────────────────────┐ │
│ │🛡️ "Enhanced security"       │ │ │ │💰 "Lower cost SKUs only"    │ │
│ │📊 "Backup required"         │ │ │ │⏰ "Auto-shutdown at night"  │ │
│ │🔄 "Change control process" │ │ │ │🔧 "Allow experimental VMs" │ │
│ └─────────────────────────────┘ │ │ └─────────────────────────────┘ │
└─┬─────────────────────────────┬─┘ └─┬─────────────────────────────┬─┘
  │                             │     │                             │
  ▼                             ▼     ▼                             ▼
┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐   ┌─────────────────┐
│   💼 FINANCE    │   │     🛒 SALES    │   │      👨‍💻 DEV      │   │      🧪 TEST     │
│  BUSINESS UNIT  │   │  BUSINESS UNIT  │   │  BUSINESS UNIT  │   │  BUSINESS UNIT  │
│                 │   │                 │   │                 │   │                 │
│ Subscriptions:  │   │ Subscriptions:  │   │ Subscriptions:  │   │ Subscriptions:  │
│ ┌─────────────┐ │   │ ┌─────────────┐ │   │ ┌─────────────┐ │   │ ┌─────────────┐ │
│ │💳 Prod-Fin  │ │   │ │💳 Prod-Sales│ │   │ │💳 Dev-Apps  │ │   │ │💳 Test-Env  │ │
│ │💳 DR-Fin    │ │   │ │💳 CRM-Prod  │ │   │ │💳 Dev-Data  │ │   │ │💳 Test-Env  │ │
│ └─────────────┘ │   │ └─────────────┘ │   │ └─────────────┘ │   │ └─────────────┘ │
└─────────────────┘   └─────────────────┘   └─────────────────┘   └─────────────────┘

Management Group Benefits:
──────────────────────────
✅ Policy inheritance down the hierarchy
✅ RBAC assignment at management group level
✅ Cost reporting and budgets by business unit
✅ Simplified governance at scale
✅ Delegation of management to business owners

Implementation Methods:
─────────────────────
🖥️  Portal: Management Groups blade
💻  CLI: az account management-group create
⚡  PowerShell: New-AzManagementGroup

Hierarchy Rules:
───────────────
• Maximum 6 levels of depth
• Root group cannot be moved or deleted
• Each group can have multiple parents
• Policies and access inherit downward

Study this concept interactively in the AZ-104 app →

Azure Storage Accounts

Explanation

A container that groups Azure storage services together. It provides a unique namespace for your data and serves as the security boundary. Storage accounts contain blobs, files, queues, and tables, with different performance tiers and replication options.

Examples

Creating a standard storage account for general purpose use, premium storage for high-performance applications, blob storage for website static content, file storage for shared application data.

Enterprise Use Case

Companies use storage accounts to store application data, website content, backup files, and logs. Different storage types serve different needs - from high-performance databases to cost-effective archival storage.

Diagram

Azure Storage Account Architecture:
┌─────────────────────────────────────────────────────────┐
│                AZURE STORAGE ACCOUNT                    │
│           (Unique Namespace & Security Boundary)        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 STORAGE SERVICES                         ⚙️ MANAGEMENT & CONFIG
┌─────────────────────┐                    ┌─────────────────────┐
│ Blob Storage:       │                    │ Performance Tiers:  │
│ • Block blobs       │───►                │ • Standard (HDD)    │
│ • Page blobs        │    │               │ • Premium (SSD)     │
│ • Append blobs      │    │               │                     │
│                     │    │               │ Replication Options:│
│ File Storage:       │    ▼               │ • LRS (Local)       │
│ • Azure Files       │ [ACCESS CONTROL]   │ • ZRS (Zone)        │
│ • Premium Files     │ & SECURITY         │ • GRS (Geo)         │
│                     │    │               │ • RA-GRS (Read-Geo) │
│ Queue Storage:      │    │               │                     │
│ • Message queues    │    ▼               │ Access Tiers:       │
│ • FIFO processing   │ [STORAGE ACCOUNT]  │ • Hot (frequent)    │
│                     │ [NAMESPACE]        │ • Cool (infrequent) │
│ Table Storage:      │    │               │ • Archive (rare)    │
│ • NoSQL key-value   │    │               │                     │
│ • Structured data   │    │               │ Security Features:  │
└─────────────────────┘    │               │ • Encryption at rest│
                          │               │ • HTTPS enforcement │
                          ▼               │ • Access keys       │
┌─────────────────────────────────────────────────────────┐ │ • SAS tokens       │
│                   ENDPOINTS                             │ │ • RBAC integration │
│                                                         │ └─────────────────────┘
│  🌐 Blob:    https://account.blob.core.windows.net     │
│  📁 File:    https://account.file.core.windows.net     │
│  📬 Queue:   https://account.queue.core.windows.net    │
│  📊 Table:   https://account.table.core.windows.net    │
└─────────────────────────────────────────────────────────┘

Storage Account Types:
──────────────────────
💼 General Purpose v2  - Most scenarios, all services
🏃 Premium Block Blob  - High performance applications  
📁 Premium File Share  - Enterprise file workloads
📦 Premium Page Blob   - Virtual machine disks

Study this concept interactively in the AZ-104 app →

Azure Blob Storage

Explanation

Object storage service for storing massive amounts of unstructured data like text, binary data, images, videos, and documents. Blobs are stored in containers and organized in a flat structure. Offers different access tiers for cost optimization.

Examples

Storing website images and videos, backup files, log files, serving static content for web applications, storing data for analytics and machine learning, document storage for applications.

Enterprise Use Case

Used for data lakes, content distribution, backup and restore, disaster recovery, and serving images/documents to web and mobile applications. Cost-effective for large amounts of infrequently accessed data.

Diagram

Azure Blob Storage Architecture:
┌─────────────────────────────────────────────────────────┐
│                   AZURE BLOB STORAGE                    │
│              (Object Storage for Cloud Scale)           │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📁 BLOB TYPES & HIERARCHY              🎯 ACCESS TIERS & LIFECYCLE
┌─────────────────────┐                    ┌─────────────────────┐
│ Storage Account     │                    │ Hot Tier:           │
│ └── Container       │───►                │ • Frequent access   │
│     └── Blob        │    │               │ • Highest cost      │
│                     │    │               │ • Lowest latency    │
│ Blob Types:         │    │               │ • Online access     │
│ ┌─────────────────┐ │    ▼               │                     │
│ │ Block Blobs:    │ │ [BLOB STORAGE]     │ Cool Tier:          │
│ │ • Text files    │ │ [CONTAINER]        │ • Infrequent access │
│ │ • Images/videos │ │    │               │ • Lower cost        │
│ │ • Documents     │ │    │               │ • 30-day minimum    │
│ │ • Backup files  │ │    │               │ • Online access     │
│ └─────────────────┘ │    │               │                     │
│ ┌─────────────────┐ │    ▼               │ Archive Tier:       │
│ │ Page Blobs:     │ │ [BLOB ACCESS]      │ • Rare access       │
│ │ • VHD files     │ │ [MANAGEMENT]       │ • Lowest cost       │
│ │ • Database data │ │                    │ • 180-day minimum   │
│ │ • Azure disks   │ │                    │ • Offline access    │
│ └─────────────────┘ │                    │ • Rehydration req'd │
│ ┌─────────────────┐ │                    └─────────────────────┘
│ │ Append Blobs:   │ │
│ │ • Log files     │ │                    📊 BLOB FEATURES
│ │ • Audit trails  │ │                    ┌─────────────────────┐
│ │ • Streaming     │ │                    │ Security:           │
│ └─────────────────┘ │                    │ • Encryption at rest│
└─────────────────────┘                    │ • HTTPS enforcement │
                                          │ • SAS tokens        │
🔄 LIFECYCLE MANAGEMENT                     │ • Access policies   │
┌─────────────────────────────────────────────────────────┐ │                     │
│                                                         │ │ Performance:        │
│  Data Flow: Hot ──30 days──► Cool ──180 days──► Archive │ │ • Scalable throughput│
│                                                         │ │ • Global distribution│
│  Auto-Transition Rules:                                 │ │ • CDN integration   │
│  • Delete after X days                                 │ │ • Geo-replication   │
│  • Move to Cool if not accessed                        │ │                     │
│  • Archive old backup files                            │ │ Integration:        │
│  • Cost optimization                                   │ │ • Azure CDN         │
└─────────────────────────────────────────────────────────┘ │ • Event Grid        │
                                                          │ • Logic Apps        │
Storage Cost Optimization:                               │ • Static websites   │
─────────────────────────                               └─────────────────────┘
💰 Hot: $0.0184/GB    (Immediate access, highest cost)
💰 Cool: $0.0115/GB   (30-day retention, medium cost)  
💰 Archive: $0.00099/GB (180-day retention, lowest cost)

Study this concept interactively in the AZ-104 app →

Azure Backup

Explanation

A cloud-based backup service that protects data in Azure and on-premises environments. Uses Recovery Services Vault to store backup data with built-in security, monitoring, and management. Provides application-consistent backups and long-term retention.

Examples

Backing up Azure VMs automatically, protecting on-premises servers and workloads, backing up Azure file shares, SQL Server in Azure VMs, protecting SharePoint and Exchange data.

Enterprise Use Case

Organizations use Azure Backup for disaster recovery, compliance requirements, protecting against ransomware, migrating workloads to cloud, and reducing backup infrastructure costs.

Diagram

Azure Backup Architecture:
[Source Data] --> [Backup Agent/Extension] --> [Recovery Services Vault]
     |                        |                          |
[Azure VMs]            [Backup Policy]              [Encrypted Storage]
[On-premises]          [Scheduling]                 [Geo-redundant]
[File Shares]          [Retention]                  [Monitoring]

Study this concept interactively in the AZ-104 app →

Configure Azure Storage Firewalls and Virtual Networks

Explanation

Storage firewalls control network access to storage accounts by restricting access to specific IP addresses, virtual networks, or subnets. This provides network-level security and ensures data access only from trusted sources.

Examples

Allowing access only from corporate VPN IP ranges, restricting storage access to specific Azure subnets, enabling trusted Azure services, configuring subnet service endpoints.

Enterprise Use Case

Organizations use storage firewalls to secure sensitive data, comply with data residency requirements, prevent unauthorized access, and implement zero-trust network security.

Diagram

Storage Network Access Control:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  🔒 STORAGE FIREWALL RULES                     │
    └─────────────────────────────────────────────────────────────────┘
    
    🌐 Internet Traffic                    🏢 Corporate Network
           │                                      │
           ▼                                      ▼
    ┌─────────────┐                        ┌─────────────┐
    │     🚫       │                        │     ✅       │
    │   BLOCKED    │                        │  ALLOWED     │
    │             │◄──── Firewall ────────►│             │
    │ Public IPs   │      Rules             │ Trusted IPs  │
    │ Random Users │                        │ VNet Subnets │
    │             │                        │ Corp VPN     │
    └─────────────┘                        └─────────────┘
           │                                      │
           ▼                                      ▼
    ┌─────────────────────────────────────────────────────────┐
    │                💾 STORAGE ACCOUNT                      │
    │                                                         │
    │  Access Rules Configuration:                            │
    │  ═══════════════════════════                            │
    │                                                         │
    │  🔧 Networking Settings:                                │
    │  • Selected networks only                               │
    │  • Virtual networks: prod-vnet/app-subnet              │
    │  • IP address ranges: 203.0.113.0/24                  │
    │  • Trusted Azure services: ✅ Enabled                  │
    │                                                         │
    │  📋 Service Endpoints:                                  │
    │  • Microsoft.Storage enabled on subnets                │
    │  • Direct routing to storage service                    │
    │  • No internet gateway required                         │
    └─────────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Create and Use Shared Access Signature (SAS) Tokens

Explanation

SAS tokens provide secure, time-limited access to storage resources without sharing account keys. They grant granular permissions for specific operations, containers, or blobs with expiration dates.

Examples

Temporary read access for file downloads, write permissions for uploads, service-level SAS for applications, user delegation SAS for enhanced security.

Enterprise Use Case

Applications use SAS for secure third-party integrations, temporary file sharing, client-side uploads, and API access without exposing storage keys.

Diagram

SAS Token Architecture & Security Flow:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    🔑 SAS TOKEN GENERATION                      │
    └─────────────────────────────────────────────────────────────────┘
    
    Storage Account Key                       SAS Token Components
    ─────────────────────                    ═══════════════════════
           │                                  
           │ 1. Generate                      📅 Start Time: 2024-01-15T09:00Z
           ▼                                  📅 Expiry: 2024-01-15T17:00Z  
    ┌──────────────────────┐                 🔐 Permissions: rw (read/write)
    │   🏭 TOKEN FACTORY    │────────────────►📁 Resource: /container/blob/*
    │                      │                 🌐 IP Range: 203.0.113.0/24
    │ Account Key + Rules  │                 📡 Protocol: HTTPS only
    │ = Signed URL         │                 
    └──────────────────────┘                 
                                             
    Generated SAS URL:                        
    ════════════════                         
    https://mystorageaccount.blob.core.windows.net/
    container/myblob.txt?
    sv=2020-08-04&                           📋 Service Version
    ss=b&                                    🗂️ Service (blob)
    srt=o&                                   🎯 Resource Type (object)
    sp=rw&                                   🔓 Permissions (read/write)
    se=2024-01-15T17:00:00Z&                ⏰ Expiry Time
    st=2024-01-15T09:00:00Z&                🚀 Start Time
    spr=https&                              🔒 Protocol (HTTPS)
    sig=<cryptographic-signature>            ✍️ Signature
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      🎯 ACCESS SCENARIOS                        │
    └─────────────────────────────────────────────────────────────────┘
    
    Account SAS              Service SAS              User Delegation SAS
    ═══════════              ═══════════              ════════════════════
    
    🔑 Account Key           🔑 Account Key           🆔 Azure AD Identity
    📊 All Services          📊 Single Service        🔐 Enhanced Security  
    🎛️ Full Control          🎯 Granular Control      ⏰ Short-lived Tokens
    
         │                       │                           │
         ▼                       ▼                           ▼
    ┌─────────┐            ┌─────────┐               ┌─────────────┐
    │ Storage │            │  Blob   │               │   Secure    │
    │ Account │            │Container│               │   Access    │
    │ Access  │            │ Access  │               │   Token     │
    └─────────┘            └─────────┘               └─────────────┘

Study this concept interactively in the AZ-104 app →

Configure Stored Access Policies

Explanation

Stored access policies provide centralized management of SAS token permissions for containers and queues. They allow you to revoke access or modify permissions without regenerating SAS tokens.

Examples

Creating named policies for different user groups, updating permissions for existing SAS tokens, revoking access by deleting policies, managing long-term access scenarios.

Enterprise Use Case

Organizations use stored access policies for centralized access control, easy permission management, compliance auditing, and secure third-party integrations.

Diagram

Stored Access Policy Management:

    Container Access Policies
    ═══════════════════════════
    
    📋 Policy: "ReadOnlyUsers"
    ┌─────────────────────────┐
    │ 🔓 Permissions: r       │
    │ 📅 Start: (not set)     │──┐
    │ 📅 Expiry: 2024-12-31   │  │
    └─────────────────────────┘  │
                                 │
    📋 Policy: "UploaderAccess"  │
    ┌─────────────────────────┐  │
    │ 🔓 Permissions: rw      │  │
    │ 📅 Start: 2024-01-01    │  │
    │ 📅 Expiry: 2024-06-30   │  │
    └─────────────────────────┘  │
                                 │
                     SAS Generation
                                 │
                                 ▼
    🔗 SAS URL: https://storage.../container?sp=ReadOnlyUsers&sig=...
    
    Policy Benefits:
    ┌─────────────────────────────────────────────────────┐
    │ ✅ Centralized Control: Modify all tokens at once   │
    │ 🚫 Instant Revocation: Delete policy = revoke all  │
    │ 📊 Audit Trail: Track policy changes              │
    │ 🔄 Permission Updates: Change without new tokens   │
    └─────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Manage Storage Account Access Keys

Explanation

Storage account access keys provide full access to the storage account and all its services. Azure provides two keys for high availability, and they can be regenerated for security without downtime.

Examples

Rotating keys regularly for security, using key1 while regenerating key2, configuring applications with connection strings, monitoring key usage in access logs.

Enterprise Use Case

Organizations manage access keys for application authentication, scheduled key rotation for compliance, emergency access scenarios, and legacy application integration.

Diagram

Access Key Management & Rotation:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  🔐 DUAL KEY ARCHITECTURE                       │
    └─────────────────────────────────────────────────────────────────┘
    
    Storage Account: mystorageaccount
    ═══════════════════════════════════
    
    🔑 Primary Key (key1)           🔑 Secondary Key (key2)
    ┌─────────────────────┐        ┌─────────────────────┐
    │ Active Applications │        │    Backup Key       │
    │ Connection Strings  │        │ Ready for Rotation  │
    │ Production Systems  │        │   Testing/Staging   │
    └─────────────────────┘        └─────────────────────┘
             │                              │
             │                              │
             ▼                              ▼
    ┌─────────────────────────────────────────────────────┐
    │            💾 STORAGE SERVICES                      │
    │ • Blob Storage    • File Storage                    │
    │ • Queue Storage   • Table Storage                   │
    └─────────────────────────────────────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🔄 KEY ROTATION PROCESS                      │
    └─────────────────────────────────────────────────────────────────┘
    
    Phase 1: Preparation          Phase 2: Rotation          Phase 3: Cleanup
    ══════════════════           ══════════════════         ═══════════════════
    
    📋 1. Update secondary       🔄 4. Regenerate primary    🗑️ 7. Update apps to
          applications to              key (creates new           use new primary
          use key2                     key value)
                                                             🔄 8. Regenerate  
    ✅ 2. Test connectivity     ⚡ 5. Applications using           secondary key
          with key2                   old key1 lose access
                                                             ✅ 9. Verify all systems
    📝 3. Document the          🔧 6. Update applications           working properly
          rotation plan              to use new key1
    
    Key Benefits:
    ┌─────────────────────────────────────────────────────────┐
    │ 🔒 Zero Downtime: Always have one working key          │
    │ 🔄 Regular Rotation: Enhance security posture          │
    │ 🚨 Emergency Access: Revoke compromised keys quickly   │
    │ 📊 Access Monitoring: Track key usage in logs         │
    └─────────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Configure Identity-based Access for Azure Files

Explanation

Azure Files supports identity-based authentication using Azure AD Domain Services or on-premises Active Directory. This enables Windows ACL permissions and seamless integration with existing identity infrastructure.

Examples

Using corporate AD credentials for file share access, setting NTFS permissions on Azure file shares, integrating with hybrid identity setups, Kerberos authentication.

Enterprise Use Case

Enterprises use identity-based access for seamless user experience, compliance with security policies, centralized user management, and lift-and-shift scenarios.

Diagram

Azure Files Identity Integration:

    ┌─────────────────────────────────────────────────────────────────┐
    │                🆔 IDENTITY-BASED ACCESS FLOW                    │
    └─────────────────────────────────────────────────────────────────┘
    
    On-premises Environment              Azure Environment
    ═══════════════════════             ══════════════════
    
    👤 User                             ☁️ Azure Files
    │                                  │
    │ 1. Windows Login                 │ 4. Identity Validation
    ▼                                  ▼
    🏢 Active Directory ────────────► 🆔 Azure AD Domain Services
    │  (corp.local)        AD Connect   │  (corp.onmicrosoft.com)
    │                                   │
    │ 2. Kerberos Token                │ 5. Access Decision
    │                                  │
    └──────────────────────────────────┼─────────────────────┐
                                       ▼                     │
                              ┌─────────────────────┐       │
                              │  📁 Azure File Share │       │
                              │                     │       │
                              │  NTFS Permissions:  │       │
                              │  • Domain Users: R  │       │
                              │  • Managers: RW     │◄──────┘
                              │  • IT Admins: FC    │ 6. File Access
                              │                     │
                              └─────────────────────┘
    
    Authentication Methods:
    ════════════════════════
    
    🔐 Azure AD Domain Services         🏢 On-premises AD (Preview)
    ┌─────────────────────────┐        ┌──────────────────────────┐
    │ ☁️ Cloud-managed AD      │        │ 🏢 Hybrid AD integration │
    │ 🔄 Synchronized users    │        │ 📡 Direct connectivity    │
    │ 🎯 Azure-native setup    │        │ 🔗 VPN/ExpressRoute      │
    │ ✅ Fully supported       │        │ ⚠️ Preview feature       │
    └─────────────────────────┘        └──────────────────────────┘
                 │                                    │
                 ▼                                    ▼
            📊 Use Cases:                       📊 Use Cases:
            • New Azure deployments            • Lift-and-shift scenarios
            • Cloud-first organizations        • Existing AD infrastructure
            • Simplified management            • Complex group policies

Study this concept interactively in the AZ-104 app →

Storage Authorization Methods

Explanation

Azure Storage supports multiple authorization methods including Azure AD, Shared Access Signatures (SAS), and storage account keys. Each method provides different levels of security and granularity.

Examples

Using Azure AD for user-based access control, SAS tokens for temporary access, account keys for administrative access, role-based permissions for different user groups.

Enterprise Use Case

Organizations implement layered authorization strategies combining Azure AD for users, SAS for applications, and keys for emergency access and legacy systems.

Diagram

Storage Authorization Hierarchy:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🔒 AUTHORIZATION METHODS                      │
    └─────────────────────────────────────────────────────────────────┘
    
    Security Level: High ────────────────────────► Low
    
    🆔 Azure Active Directory    🎫 Shared Access Signature    🔑 Storage Account Keys
    ═══════════════════════     ═══════════════════════════    ═══════════════════════
    
    ✅ Best Practice             ⚖️ Balanced Security         ⚠️ Use with Caution
    🎯 Fine-grained control     ⏰ Time-limited access       🔓 Full account access
    👤 User/App identity        🎛️ Resource-level control    🔧 Administrative tasks
    📊 Audit trail             📱 3rd party integrations     🚨 Legacy applications
    
         │                           │                            │
         ▼                           ▼                            ▼
    ┌─────────────┐            ┌─────────────┐             ┌─────────────┐
    │🎭 Identity  │            │⏱️ Temporary │             │🗝️ Full      │
    │  Based      │            │  Access     │             │  Access     │
    │             │            │             │             │             │
    │• RBAC Roles │            │• Time-bound │             │• All services│
    │• Conditions │            │• IP restrict│             │• All operations│
    │• MFA support│            │• Protocol   │             │• No expiration│
    └─────────────┘            └─────────────┘             └─────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      🎯 ACCESS PATTERNS                         │
    └─────────────────────────────────────────────────────────────────┘
    
    Scenario                    Recommended Method             Why?
    ════════════════           ══════════════════             ═════
    
    👨‍💻 Developer Access       🆔 Azure AD + RBAC            Identity-based, auditable
    📱 Mobile App              🎫 SAS with User Delegation   Secure, temporary access  
    🤖 Automated Service       🆔 Managed Identity            No stored secrets
    🔧 Administrative Tasks    🔑 Storage Account Key         Full access when needed
    🌐 Public Website          🎫 Anonymous Blob Access      No authentication needed
    📊 Analytics Pipeline      🎫 Service SAS                Scoped access to data
    🚨 Emergency Recovery      🔑 Storage Account Key         Reliable access method

Study this concept interactively in the AZ-104 app →

Storage Encryption

Explanation

Azure Storage automatically encrypts all data at rest using 256-bit AES encryption. Data is encrypted before being written to storage and decrypted when retrieved. Encryption is transparent to applications.

Examples

Automatic encryption for all storage services, integration with Azure Key Vault, compliance with regulatory requirements, protection against physical media theft.

Enterprise Use Case

Organizations rely on storage encryption for data protection compliance, security regulations (HIPAA, SOX), customer data privacy, and defense against physical threats.

Diagram

Storage Encryption Architecture:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  🔐 ENCRYPTION AT REST FLOW                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Application Data              Encryption Process              Physical Storage
    ═══════════════              ══════════════════              ════════════════
    
    📄 Plain Text                🔐 AES-256 Encryption          💾 Encrypted Data
    ┌─────────────┐              ┌─────────────────────┐        ┌─────────────┐
    │ Customer    │──────────────►│  Transparent        │────────►│ ############│
    │ Data        │              │  Encryption         │        │ ############│
    │             │              │                     │        │ ############│
    │ • Documents │              │ 🔑 Encryption Key   │        │ ############│
    │ • Images    │              │ 🛡️ AES-256          │        │ Cipher Text │
    │ • Videos    │              │ ⚡ Hardware         │        │ on Disks    │
    │ • Backups   │              │   Accelerated       │        │             │
    └─────────────┘              └─────────────────────┘        └─────────────┘
            │                              │                              │
            │                              ▼                              │
            │                    ┌─────────────────────┐                 │
            │                    │   🗝️ KEY MANAGEMENT │                 │
            │                    │                     │                 │
            └────────────────────┤  Microsoft-managed  │◄────────────────┘
                    Read         │  Keys (Default)     │      Write
                    Request      │                     │      Request
                                 │  🏢 Customer-managed │
                                 │     Keys (Optional) │
                                 └─────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                   🔑 KEY MANAGEMENT OPTIONS                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Microsoft-Managed Keys (MMK)      Customer-Managed Keys (CMK)
    ═══════════════════════════       ═══════════════════════════
    
    🔧 Default Option                 🎯 Advanced Control
    🔐 Automatic Key Rotation         🔄 Customer Key Rotation
    ✅ No Configuration Required      🗂️ Azure Key Vault Integration
    💰 No Additional Cost             💵 Key Vault Charges Apply
    🛡️ Microsoft Responsibility       👤 Customer Responsibility
    
    ┌─────────────────────────┐      ┌─────────────────────────────┐
    │    📊 Benefits:         │      │      📊 Benefits:           │
    │                         │      │                             │
    │ • Zero management       │      │ • Regulatory compliance     │
    │ • Automatic updates     │      │ • Key access control       │
    │ • High availability     │      │ • Audit trail              │
    │ • Microsoft support     │      │ • Bring your own key       │
    └─────────────────────────┘      └─────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Customer-Managed Keys (CMK)

Explanation

Customer-managed keys allow you to control encryption keys using Azure Key Vault. You can create, disable, audit, and rotate encryption keys according to your compliance requirements and security policies.

Examples

Using Azure Key Vault for key storage, implementing key rotation policies, meeting regulatory compliance (FIPS 140-2), integrating with HSMs for enhanced security.

Enterprise Use Case

Highly regulated industries use CMK for compliance requirements, key ownership control, audit trail maintenance, and integration with existing key management infrastructure.

Diagram

Customer-Managed Key Architecture:

    ┌─────────────────────────────────────────────────────────────────┐
    │                🏛️ CUSTOMER-MANAGED KEY WORKFLOW                │
    └─────────────────────────────────────────────────────────────────┘
    
    Customer Environment           Azure Key Vault              Storage Account
    ══════════════════            ═══════════════              ═══════════════
    
    👤 Administrator               🔐 Key Vault                📦 Storage Account
    │                             │                          │
    │ 1. Create key               │ 3. Store & manage        │ 5. Encrypt data
    │    in Key Vault             │    encryption key        │    with customer key
    ▼                             ▼                          ▼
    ┌─────────────────┐          ┌──────────────────┐       ┌──────────────────┐
    │ 🗝️ Key Creation │          │  🏛️ Azure Key   │       │ 🔒 Data Storage  │
    │                 │          │     Vault        │       │                  │
    │ • RSA 2048/3072 │─────────►│                  │──────►│ • AES-256        │
    │ • RSA-HSM       │ 2. Grant │ • Key versions   │ 4. Get│ • Transparent    │
    │ • Access policy │   access │ • Auto-rotation  │   key │ • Real-time      │
    │ • Permissions   │          │ • Audit logs     │       │ • High perf      │
    └─────────────────┘          └──────────────────┘       └──────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🔄 KEY LIFECYCLE MANAGEMENT                  │
    └─────────────────────────────────────────────────────────────────┘
    
    Phase 1: Creation           Phase 2: Active Use         Phase 3: Rotation
    ═══════════════════        ══════════════════          ══════════════════
    
    🔧 Setup Process:          ⚡ Operational Phase:       🔄 Maintenance:
    
    1. Create Key Vault        4. Storage uses key         7. Generate new key
    2. Create encryption key   5. Data encrypt/decrypt     8. Update storage config
    3. Grant storage access    6. Monitor key usage        9. Disable old key version
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                        ⚖️ COMPLIANCE BENEFITS                   │
    └─────────────────────────────────────────────────────────────────┘
    
    Regulatory Compliance        Key Control Benefits        Security Enhancements
    ═══════════════════════     ══════════════════════      ═══════════════════════
    
    🏛️ FIPS 140-2 Level 2       👤 Customer ownership       🔍 Detailed audit logs
    📋 Common Criteria          🚫 Key access control       🔐 HSM protection option  
    🛡️ SOC 2 Type 2            ⏰ Custom rotation          🚨 Key compromise recovery
    📊 HIPAA compliance         📊 Usage monitoring         🎯 Regional key residency
    🔒 Privacy regulations      🔄 Lifecycle management     ⚡ Zero-trust architecture

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via Portal

Explanation

The Azure portal provides a wizard-based interface for creating storage accounts with guided configuration options. The portal helps select appropriate performance tiers, replication options, and security settings.

Examples

Using the portal wizard to create general-purpose v2 accounts, selecting blob hot/cool tiers, configuring network access rules, setting up advanced security options.

Enterprise Use Case

IT administrators use the portal for initial storage account setup, learning storage configurations, one-off account creation, and when visual guidance is preferred.

Diagram

Portal Storage Account Creation Flow:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🌐 AZURE PORTAL WIZARD                        │
    └─────────────────────────────────────────────────────────────────┘
    
    Step 1: Basics              Step 2: Advanced            Step 3: Networking
    ══════════════             ═══════════════════          ══════════════════
    
    📋 Resource Group          🔐 Security Options          🌐 Network Access
    📍 Location               🚀 Performance Tier          🏢 Virtual Networks
    📝 Storage Account Name    🔄 Replication Type         🔒 Firewall Rules
    🎛️ Account Kind            ⚡ Access Tier              🔓 Public Access
    
           │                          │                          │
           ▼                          ▼                          ▼
    ┌─────────────────────┐  ┌─────────────────────┐  ┌─────────────────────┐
    │ 📊 Account Type:    │  │ 🛡️ Security:        │  │ 🌍 Connectivity:    │
    │                     │  │                     │  │                     │
    │ • General Purpose   │  │ • Blob encryption   │  │ • All networks      │
    │ • Blob Storage      │  │ • Infrastructure    │  │ • Selected networks │
    │ • Block Blob        │  │   encryption        │  │ • Private endpoint  │
    │ • File Storage      │  │ • Hierarchical      │  │                     │
    │                     │  │   namespace         │  │ Service Endpoints:  │
    │ Performance:        │  │ • Secure transfer   │  │ ✅ Microsoft.Storage│
    │ • Standard          │  │   required          │  │                     │
    │ • Premium           │  │                     │  │ Firewall Rules:     │
    │                     │  │ Replication:        │  │ • IP ranges         │
    │ Redundancy:         │  │ • LRS, ZRS, GRS     │  │ • Virtual networks  │
    │ • Locally redundant │  │ • RA-GRS, GZRS      │  │ • Exceptions        │
    │ • Zone redundant    │  │ • RA-GZRS           │  │                     │
    │ • Geo redundant     │  │                     │  │                     │
    └─────────────────────┘  └─────────────────────┘  └─────────────────────┘
           │                          │                          │
           └──────────────────────────┼──────────────────────────┘
                                      ▼
                         ┌─────────────────────────┐
                         │   ✅ REVIEW & CREATE    │
                         │                         │
                         │  📊 Configuration       │
                         │      Summary            │
                         │  💰 Pricing Estimate    │
                         │  🚀 Deploy Resources    │
                         └─────────────────────────┘

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via CLI

Explanation

Azure CLI provides command-line storage account creation with "az storage account create" commands. CLI offers programmatic control, scripting capabilities, and integration with DevOps pipelines.

Examples

Creating storage accounts with CLI scripts, automating storage deployment in pipelines, bulk storage account creation, setting specific configuration parameters.

Enterprise Use Case

DevOps engineers use CLI for Infrastructure as Code, automated deployments, CI/CD pipelines, and when scripting complex storage configurations.

Diagram

CLI Storage Account Commands & Examples:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    💻 AZURE CLI COMMANDS                        │
    └─────────────────────────────────────────────────────────────────┘
    
    Basic Creation Command:
    ════════════════════════
    az storage account create \
      --name mystorageaccount123 \
      --resource-group myResourceGroup \
      --location eastus \
      --sku Standard_LRS
    
    Advanced Configuration:
    ════════════════════════
    az storage account create \
      --name enterprisestorage \
      --resource-group production-rg \
      --location eastus2 \
      --sku Standard_GZRS \              📊 Replication
      --kind StorageV2 \                 🎛️ Account Kind
      --access-tier Hot \                🌡️ Blob Access Tier
      --https-only true \               🔒 Secure Transfer
      --min-tls-version TLS1_2 \        🔐 TLS Version
      --allow-blob-public-access false \🚫 Public Access
      --default-action Deny              🛡️ Network Rules
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                     🎯 CLI AUTOMATION PATTERNS                  │
    └─────────────────────────────────────────────────────────────────┘
    
    Script Example:                    Pipeline Integration:
    ══════════════                    ═══════════════════════
    
    #!/bin/bash                       # Azure DevOps Pipeline
    
    # Variables                       - task: AzureCLI@2
    RG_NAME="storage-rg"               inputs:
    LOCATION="westus2"                   azureSubscription: 'prod'
    STORAGE_BASE="companystore"           scriptType: 'bash'
                                         scriptLocation: 'inlineScript'
    # Create multiple accounts           inlineScript: |
    for i in {1..5}; do                   az storage account create \
      az storage account create \          --name \$(storageAccountName) \
        --name "\$\{STORAGE_BASE\}\$\{i\}" \     --resource-group \$(resourceGroup) \
        --resource-group "\$RG_NAME" \      --sku \$(replicationSku)
        --location "\$LOCATION" \
        --sku Standard_LRS
      
      echo "Created \$\{STORAGE_BASE\}\$\{i\}"
    done
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      ⚙️ CONFIGURATION OPTIONS                   │
    └─────────────────────────────────────────────────────────────────┘
    
    SKU Options:                      Kind Options:                    
    ════════════                     ═════════════                    
    • Standard_LRS                   • Storage (legacy)
    • Standard_ZRS                   • StorageV2 (recommended)
    • Standard_GRS                   • BlobStorage (blob only)
    • Standard_RAGRS                 • FileStorage (premium files)
    • Standard_GZRS                  • BlockBlobStorage (premium blobs)
    • Standard_RAGZRS
    • Premium_LRS                    Access Tier:
    • Premium_ZRS                    ═══════════
                                    • Hot (frequent access)
    Network Access:                  • Cool (infrequent access)
    ══════════════
    • --default-action Allow         TLS Version:
    • --default-action Deny          ════════════
    • --bypass AzureServices         • TLS1_0, TLS1_1, TLS1_2

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via PowerShell

Explanation

PowerShell provides object-oriented storage account creation through New-AzStorageAccount cmdlet. It offers advanced scripting, Windows integration, and comprehensive parameter control.

Examples

Creating storage accounts with PowerShell objects, using Windows authentication, integrating with existing PowerShell automation, bulk operations with CSV data.

Enterprise Use Case

Windows administrators use PowerShell for enterprise automation, integration with existing Windows infrastructure, complex provisioning scenarios, and advanced scripting.

Diagram

PowerShell Storage Account Creation & Management:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  ⚡ POWERSHELL CMDLETS & OBJECTS                │
    └─────────────────────────────────────────────────────────────────┘
    
    Basic Creation:
    ═══════════════
    $storageAccount = New-AzStorageAccount \
        -ResourceGroupName "myResourceGroup" \
        -Name "mystorageaccount" \
        -Location "East US" \
        -SkuName "Standard_LRS"
    
    Advanced Configuration:
    ════════════════════════
    $storageParams = @{
        ResourceGroupName      = "production-rg"
        Name                  = "enterprisestorage"
        Location              = "East US 2"
        SkuName              = "Standard_GZRS"
        Kind                 = "StorageV2"
        AccessTier           = "Hot"
        EnableHttpsTrafficOnly = $true
        MinimumTlsVersion    = "TLS1_2"
        AllowBlobPublicAccess = $false
        PublicNetworkAccess   = "Disabled"
    }
    
    $storageAccount = New-AzStorageAccount @storageParams
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🎯 POWERSHELL AUTOMATION                     │
    └─────────────────────────────────────────────────────────────────┘
    
    CSV-Based Bulk Creation:              Object Pipeline Processing:
    ════════════════════════             ════════════════════════════
    
    # Import from CSV                    # Pipeline example
    $accounts = Import-Csv accounts.csv  Get-AzStorageAccount | 
                                           Where-Object {$_.Kind -eq "StorageV2"} |
    foreach ($account in $accounts) {      ForEach-Object {
        New-AzStorageAccount \               $_.Context = New-AzStorageContext \
            -ResourceGroupName $account.RG \      -StorageAccountName $_.StorageAccountName \
            -Name $account.Name \                 -StorageAccountKey (Get-AzStorageAccountKey \
            -Location $account.Location \           -ResourceGroupName $_.ResourceGroupName \
            -SkuName $account.Sku                    -Name $_.StorageAccountName)[0].Value
                                           }
        Write-Host "Created $($account.Name)"
    }                                    # Now $accounts have context for operations
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                     📊 OBJECT PROPERTIES                        │
    └─────────────────────────────────────────────────────────────────┘
    
    Storage Account Object Properties:
    ═══════════════════════════════════
    $storageAccount.StorageAccountName    # Account name
    $storageAccount.ResourceGroupName     # Resource group
    $storageAccount.Location             # Azure region
    $storageAccount.Sku.Name            # Replication type
    $storageAccount.Kind                # Account kind
    $storageAccount.AccessTier          # Hot/Cool tier
    $storageAccount.PrimaryEndpoints    # Service endpoints
    $storageAccount.NetworkRuleSet      # Network access rules
    $storageAccount.Encryption          # Encryption settings
    
    Common Operations:
    ══════════════════
    # Get storage account key
    $key = (Get-AzStorageAccountKey \
        -ResourceGroupName $rg \
        -Name $name)[0].Value
    
    # Create storage context
    $ctx = New-AzStorageContext \
        -StorageAccountName $name \
        -StorageAccountKey $key
    
    # Update access tier
    Set-AzStorageAccount \
        -ResourceGroupName $rg \
        -Name $name \
        -AccessTier Cool

Study this concept interactively in the AZ-104 app →

Standard vs Premium Storage Accounts

Explanation

Azure offers standard storage (HDD-based) for cost-effective general use and premium storage (SSD-based) for high-performance applications. Each type has different performance characteristics and pricing.

Examples

Standard for backup storage and archives, premium for database storage and high IOPS applications, choosing based on performance vs cost requirements.

Enterprise Use Case

Organizations choose standard for cost-sensitive workloads and premium for performance-critical applications like databases, virtual machine disks, and real-time analytics.

Diagram

Storage Account Performance Comparison:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  ⚖️ STANDARD vs PREMIUM STORAGE                 │
    └─────────────────────────────────────────────────────────────────┘
    
    💾 Standard Storage              🚀 Premium Storage
    ═══════════════════             ═══════════════════
    
    🔧 Technology:                  🔧 Technology:
    • HDD-based storage             • SSD-based storage
    • Magnetic disk drives          • Solid-state drives
    • Lower cost per GB             • Higher performance
    
    📊 Performance Characteristics:  📊 Performance Characteristics:
    • IOPS: Up to 20,000            • IOPS: Up to 80,000+
    • Throughput: Up to 900 MB/s    • Throughput: Up to 2,000 MB/s
    • Latency: Higher (5-10ms)      • Latency: Lower (<1ms)
    
           │                               │
           ▼                               ▼
    ┌──────────────────┐            ┌──────────────────┐
    │ 💰 COST-EFFECTIVE │            │ ⚡ HIGH-PERFORMANCE│
    │                  │            │                  │
    │ Use Cases:       │            │ Use Cases:       │
    │ • Web apps       │            │ • SQL databases  │
    │ • File shares    │            │ • VM OS disks    │
    │ • Backup data    │            │ • Analytics      │
    │ • Archive        │            │ • Gaming apps    │
    │ • Development    │            │ • Media streaming│
    │                  │            │                  │
    │ SKU Options:     │            │ SKU Options:     │
    │ • Standard_LRS   │            │ • Premium_LRS    │
    │ • Standard_ZRS   │            │ • Premium_ZRS    │
    │ • Standard_GRS   │            │                  │
    │ • Standard_RAGRS │            │                  │
    │ • Standard_GZRS  │            │                  │
    │ • Standard_RAGZRS│            │                  │
    └──────────────────┘            └──────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🎯 DECISION MATRIX                           │
    └─────────────────────────────────────────────────────────────────┘
    
    Workload Characteristics          Recommended Type       Why?
    ════════════════════════         ═══════════════════    ═════════════
    
    📊 High IOPS (>20K)               🚀 Premium            SSD performance
    💾 Large files, archival          💰 Standard           Cost-effective
    🎮 Gaming, real-time apps         🚀 Premium            Low latency
    🗂️ File shares, collaboration     💰 Standard           Sufficient perf
    💿 Database workloads             🚀 Premium            Consistent IOPS
    📈 Analytics, big data            🚀 Premium            High throughput
    🔄 Backup, disaster recovery      💰 Standard           Cost priority
    🌐 Static websites                💰 Standard           Basic needs
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      💲 PRICING COMPARISON                      │
    └─────────────────────────────────────────────────────────────────┘
    
    Standard Storage:                Premium Storage:
    ═════════════════               ════════════════
    
    💰 ~$0.02/GB/month              💰 ~$0.15/GB/month
    📊 Transaction charges          📊 No transaction charges
    🔄 Data transfer costs          🔄 Data transfer costs
    
    Total Cost Factors:             Total Cost Factors:
    • Storage capacity              • Storage capacity
    • Transaction volume           • No per-transaction fees
    • Data egress                  • Data egress
    • Redundancy option            • Redundancy option

Study this concept interactively in the AZ-104 app →

Configure Azure Storage Redundancy

Explanation

Azure Storage redundancy protects data against hardware failures and disasters. Options include LRS (local), ZRS (zone), GRS (geo), RA-GRS (read-access geo), GZRS (geo-zone), and RA-GZRS for different durability and availability needs.

Examples

LRS for cost-effective local protection, ZRS for zone failures, GRS for regional disasters, RA-GRS for read access during outages, GZRS for maximum protection.

Enterprise Use Case

Organizations select redundancy based on RPO/RTO requirements, compliance needs, budget constraints, and criticality of data for business operations.

Diagram

Storage Redundancy Options & Protection Levels:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🛡️ REDUNDANCY PROTECTION MATRIX              │
    └─────────────────────────────────────────────────────────────────┘
    
    Protection Level: Low ────────────────────────────► High
    
    LRS                ZRS               GRS                 RA-GRS              GZRS                RA-GZRS
    ═══               ═══               ═══                 ══════              ════                ═══════
    
    🏠 Local          🏢 Zone           🌍 Geographic       🌍📖 Geo + Read     🌍🏢 Geo + Zone    🌍🏢📖 All
    
    Single DC         Multiple AZ       Secondary Region    Secondary + Read    Secondary + AZ     Secondary + AZ + Read
    
         │                 │                   │                   │                   │                   │
         ▼                 ▼                   ▼                   ▼                   ▼                   ▼
    ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐
    │💰 Cheapest  │   │⚖️ Balanced   │   │🌍 Disaster  │   │🌍📖 DR +    │   │🏆 Premium   │   │👑 Ultimate  │
    │             │   │             │   │  Recovery   │   │  Read Access│   │ Protection  │   │ Protection  │
    │3x copies    │   │3x copies    │   │6x copies    │   │6x copies    │   │6x copies    │   │6x copies    │
    │Same DC      │   │3 zones      │   │2 regions    │   │2 regions    │   │2 regions +  │   │2 regions +  │
    │             │   │             │   │             │   │+ read access│   │  zone redund│   │ zone + read │
    │             │   │Zone failure │   │Region       │   │Region       │   │Region +     │   │Region +     │
    │Hardware     │   │protection   │   │failure      │   │failure +    │   │zone failure │   │zone + read  │
    │failure only │   │             │   │protection   │   │read during  │   │protection   │   │access       │
    │             │   │             │   │             │   │outage       │   │             │   │             │
    └─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘   └─────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    📍 GEOGRAPHIC DISTRIBUTION                   │
    └─────────────────────────────────────────────────────────────────┘
    
    Local Redundancy (LRS/ZRS):          Geographic Redundancy (GRS/RA-GRS/GZRS/RA-GZRS):
    ═══════════════════════════════      ════════════════════════════════════════════════════
    
    🏢 Primary Region                    🌍 Primary Region ◄─────► 🌍 Secondary Region
    ┌─────────────────────────┐          ┌─────────────────────┐    ┌─────────────────────┐
    │      Data Center        │          │    Primary DC       │    │   Secondary DC      │
    │  ┌─────┐  ┌─────┐      │          │  ┌─────┐  ┌─────┐  │    │  ┌─────┐  ┌─────┐  │
    │  │ DC  │  │ DC  │ ZRS  │          │  │ DC  │  │ DC  │  │    │  │ DC  │  │ DC  │  │
    │  │ A   │  │ B   │      │          │  │ A   │  │ B   │  │    │  │ C   │  │ D   │  │
    │  └─────┘  └─────┘      │          │  └─────┘  └─────┘  │    │  └─────┘  └─────┘  │
    │          ┌─────┐       │          └─────────────────────┘    └─────────────────────┘
    │          │ DC  │       │                    │                          │
    │          │ C   │       │                    │ Async                    │
    │          └─────┘       │                    │ Replication              │
    └─────────────────────────┘                    ▼ (RPO: <15 min)          ▼
    
    LRS: 3 copies in single DC            Primary Data ────────────► Secondary Data
    ZRS: 3 copies across zones            (Available)               (Available for RA-*)
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      🎯 USE CASE RECOMMENDATIONS                │
    └─────────────────────────────────────────────────────────────────┘
    
    Scenario                     Recommended              Why?
    ════════════════════════    ══════════════════       ═══════════════════════════════
    
    🧪 Development/Testing       LRS                     Cost-effective, acceptable risk
    📊 Production Apps           ZRS or GRS              Zone/region protection needed
    💼 Business Critical         RA-GRS or RA-GZRS      Read access during outages
    🏦 Financial Services        GZRS or RA-GZRS        Maximum protection required
    📈 Analytics Workloads       GRS or GZRS            Large datasets, DR important
    🌐 Global Applications       RA-GRS or RA-GZRS      Multi-region read access
    🔄 Backup Storage           GRS                     Geographic protection
    📱 Mobile Apps              RA-GRS                  Read access globally

Study this concept interactively in the AZ-104 app →

Configure Object Replication

Explanation

Object replication asynchronously copies block blobs between storage accounts, enabling cross-region data distribution, disaster recovery, and data locality optimization. It supports versioning and change feed.

Examples

Replicating data to edge locations for performance, creating disaster recovery copies, distributing content globally, maintaining data sovereignty requirements.

Enterprise Use Case

Global organizations use object replication for content distribution, regulatory compliance, disaster recovery, and reducing data access latency across regions.

Diagram

Object Replication Architecture:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🔄 OBJECT REPLICATION FLOW                    │
    └─────────────────────────────────────────────────────────────────┘
    
    Source Storage Account           Replication Engine          Destination Storage Account
    ══════════════════════          ════════════════════        ═══════════════════════════
    
    🏠 Primary Region (East US)      ⚙️ Azure Platform          🌍 Secondary Region (West EU)
    ┌─────────────────────┐         ┌─────────────────┐         ┌─────────────────────┐
    │  📦 Source Account  │         │  🔄 Replication │         │ 📦 Dest Account     │
    │                     │         │     Service     │         │                     │
    │  Container: "images"│────────►│                 │────────►│ Container: "images" │
    │  • photo1.jpg       │         │ • Change Feed   │         │ • photo1.jpg        │
    │  • photo2.png       │         │ • Async Copy    │         │ • photo2.png        │
    │  • video.mp4        │         │ • Version Aware │         │ • video.mp4         │
    │                     │         │ • Retry Logic   │         │                     │
    │  📊 Change Feed:    │         └─────────────────┘         │ 📊 Replica Status:  │
    │  • Blob created     │                                     │ • Successfully      │
    │  • Blob modified    │                                     │   replicated        │
    │  • Blob deleted     │                                     │ • Replication time  │
    └─────────────────────┘                                     └─────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🎯 REPLICATION SCENARIOS                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Scenario 1: Global CDN              Scenario 2: Disaster Recovery
    ═══════════════════════             ═══════════════════════════════
    
    🌎 Americas                         🏢 Production Data
    ┌─────────────────┐                ┌─────────────────────┐
    │ East US Storage │──────────┐     │ Primary Storage     │
    │ • Web Content   │          │     │ • Business Data     │
    │ • Images        │          │     │ • Applications      │
    │ • Videos        │          │     │ • User Content      │
    └─────────────────┘          │     └─────────────────────┘
                                 │                 │
                                 │                 ▼ Replicate
                                 ▼ Replicate       ┌─────────────────────┐
                         ┌─────────────────┐      │ DR Storage          │
    🌍 Europe            │ Central Hub     │      │ • Backup Data       │
    ┌─────────────────┐  │ • Orchestration │      │ • Recovery Ready    │
    │ West EU Storage │◄─│ • Monitoring    │      │ • Cross-Region      │
    │ • Localized     │  │ • Management    │      └─────────────────────┘
    │   Content       │  └─────────────────┘      
    └─────────────────┘          │
                                 │
                                 ▼ Replicate
    🌏 Asia Pacific              ┌─────────────────┐
    ┌─────────────────┐          │ APAC Storage    │
    │ East Asia       │◄─────────│ • Regional      │
    │ • Regional      │          │   Content       │
    │   Content       │          │ • Low Latency   │
    └─────────────────┘          └─────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      ⚙️ CONFIGURATION SETUP                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Prerequisites:                     Policy Configuration:
    ═══════════════                   ════════════════════════
    
    ✅ Source account requirements:   📋 Replication Policy JSON:
    • Change feed enabled             {
    • Blob versioning enabled          "rules": [{
    • General Purpose v2               "ruleId": "replicate-images",
                                       "sourceContainer": "source-images",
    ✅ Destination requirements:       "destinationContainer": "dest-images",
    • Different storage account        "prefixMatch": ["photos/", "media/"],
    • Same replication scheme          "minCreationTime": "2024-01-01T00:00:00Z"
    • Appropriate permissions         }]
                                     }
    
    Benefits & Considerations:
    ══════════════════════════
    
    ✅ Benefits:                     ⚠️ Considerations:
    • Automated async replication    • Additional storage costs
    • Cross-region data locality     • Network egress charges  
    • Built-in retry mechanisms      • Eventual consistency
    • Change feed integration        • Policy complexity
    • Version preservation           • Monitor replication lag

Study this concept interactively in the AZ-104 app →

Azure Storage Tools (Storage Explorer, AzCopy)

Explanation

Azure Storage Tools provide GUI and command-line interfaces for managing storage data. Storage Explorer offers visual management, while AzCopy provides high-performance bulk data transfer capabilities.

Examples

Using Storage Explorer for browsing containers, AzCopy for large data migrations, bulk upload/download operations, cross-storage account transfers.

Enterprise Use Case

IT teams use Storage Explorer for visual data management and AzCopy for automated data transfers, migrations, backup operations, and CI/CD pipeline integrations.

Diagram

Azure Storage Tools Ecosystem:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🛠️ AZURE STORAGE TOOLS OVERVIEW              │
    └─────────────────────────────────────────────────────────────────┘
    
    🖥️ Azure Storage Explorer           💻 AzCopy Command Line
    ═══════════════════════════         ═══════════════════════
    
    🎯 Purpose: Visual Management       🎯 Purpose: Bulk Transfer
    📊 Interface: GUI Application       📊 Interface: Command Line
    🚀 Performance: Interactive         🚀 Performance: High Throughput
    👤 Users: Administrators           👤 Users: DevOps/Automation
    
    ┌─────────────────────┐            ┌─────────────────────┐
    │   🖼️ GUI Features   │            │  ⚡ CLI Features    │
    │                     │            │                     │
    │ • Visual browsing   │            │ • Parallel transfer │
    │ • Drag & drop       │            │ • Resume capability │
    │ • Container mgmt    │            │ • Pattern matching  │
    │ • Property editing  │            │ • Sync operations   │
    │ • Access key mgmt   │            │ • JSON logging      │
    │ • Cross-account     │            │ • Script integration│
    │   transfers         │            │ • Bandwidth control │
    └─────────────────────┘            └─────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    📋 COMMON USAGE SCENARIOS                    │
    └─────────────────────────────────────────────────────────────────┘
    
    Data Migration                      Content Management
    ══════════════                     ══════════════════
    
    🔄 Large Dataset Migration:        👥 Team Collaboration:
    AzCopy                             Storage Explorer
    
    azcopy copy \                      • Visual folder structure
      "C:\data\*" \                  • Shared access management  
      "https://dest.blob.core.         • File property editing
       windows.net/container" \        • Cross-account browsing
      --recursive \                    • Snapshot management
      --include-pattern="*.json;*.xml"
    
    📊 Performance: 50+ GB/hour        🎯 Use Cases:
    ⚙️ Features: Resume, retry         • Initial exploration
    🔧 Options: Bandwidth throttling   • Small file operations
                                      • Configuration changes
                                      • Access troubleshooting
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                      🚀 AZCOPY ADVANCED USAGE                   │
    └─────────────────────────────────────────────────────────────────┘
    
    Sync Operations:                   Automated Scenarios:
    ════════════════                  ═══════════════════════
    
    # Sync local to cloud             #!/bin/bash
    azcopy sync \                     # Backup script
      "C:\local-data" \               
      "https://storage.blob.core.      DATE=$(date +%Y%m%d)
       windows.net/backup" \          BACKUP_CONTAINER="backup-$DATE"
      --delete-destination
                                     # Create container
    # Cross-storage sync              az storage container create \
    azcopy sync \                       --name $BACKUP_CONTAINER
      "https://source.blob.core.
       windows.net/data" \            # Copy data
      "https://dest.blob.core.        azcopy copy \
       windows.net/mirror"              "C:\production-data\*" \
                                        "https://backup.blob.core.
    Performance Tuning:                  windows.net/$BACKUP_CONTAINER" \
    ═══════════════════                 --recursive \
                                        --log-level=INFO \
    --cap-mbps 1000                     --output-type json
    --block-size-mb 100               
    --concurrency-value 32            # Verify backup
    --check-md5 FailIfDifferent       azcopy list \
                                        "https://backup.blob.core.
                                         windows.net/$BACKUP_CONTAINER"
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🎯 TOOL SELECTION GUIDE                      │
    └─────────────────────────────────────────────────────────────────┘
    
    Use Storage Explorer When:         Use AzCopy When:
    ══════════════════════════        ═══════════════════
    
    ✅ Learning Azure Storage         ✅ Large data transfers (>1GB)
    ✅ Visual data exploration        ✅ Automated operations
    ✅ Small file operations          ✅ Sync requirements
    ✅ Quick configuration changes    ✅ Pattern-based transfers
    ✅ Cross-account browsing         ✅ CI/CD integration
    ✅ One-time administrative tasks  ✅ Bandwidth optimization
    ✅ Troubleshooting access         ✅ Resume capability needed

Study this concept interactively in the AZ-104 app →

Storage Account Failover

Explanation

Storage account failover allows manual failover to secondary region for GRS/GZRS accounts during primary region outages. After failover, the secondary region becomes the new primary with potential data loss.

Examples

Initiating failover during regional disasters, testing disaster recovery procedures, recovering from prolonged primary region outages, business continuity planning.

Enterprise Use Case

Organizations use account failover for disaster recovery, business continuity, and meeting RTO requirements when primary region is unavailable for extended periods.

Diagram

Storage Account Failover Process:

    ┌─────────────────────────────────────────────────────────────────┐
    │                   🚨 FAILOVER WORKFLOW & IMPACT               │
    └─────────────────────────────────────────────────────────────────┘
    
    Normal Operations                  Failover Scenario             Post-Failover State
    ═════════════════                 ═══════════════════           ═══════════════════
    
    🏢 Primary Region (East US)        🚨 Disaster Event            🌍 New Primary (West US)
    ┌─────────────────────┐           ┌─────────────────────┐       ┌─────────────────────┐
    │ ✅ PRIMARY ACTIVE    │           │ ❌ PRIMARY DOWN     │       │ ✅ PROMOTED PRIMARY │
    │                     │           │                     │       │                     │
    │ 📊 Read/Write Ops   │           │ 🔥 Region Outage    │       │ 📊 Read/Write Ops   │
    │ 🔄 Async Replication│──────────►│ 📱 Failover Decision│──────►│ 🚫 No Replication   │
    │ 📈 Live Traffic     │           │ ⏰ RPO Data Loss    │       │ 📈 Restored Traffic │
    │                     │           │ 🎯 Initiate Failover│       │ ⚠️ Potential Data   │
    │ Endpoint:           │           │                     │       │    Loss Occurred    │
    │ storageacct.blob... │           │ Time: 15 minutes    │       │                     │
    └─────────────────────┘           └─────────────────────┘       │ Same Endpoint:      │
            │                                 │                     │ storageacct.blob... │
            ▼ Replicate                       ▼ Promote             └─────────────────────┘
    ┌─────────────────────┐           ┌─────────────────────┐              ▲
    │ 📋 SECONDARY        │           │ 🔄 PROMOTION        │              │
    │    (West US)        │           │    IN PROGRESS      │──────────────┘
    │                     │           │                     │
    │ 📖 Read-Only (RA-*) │           │ ⏳ ~15 minutes      │
    │ 📊 Replicated Data  │           │ 🔧 DNS Updates      │
    │ ⏰ 15min RPO        │           │ 📡 Endpoint Switch  │
    └─────────────────────┘           └─────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    ⚠️ FAILOVER IMPACT ANALYSIS                │
    └─────────────────────────────────────────────────────────────────┘
    
    Before Failover                   During Failover              After Failover
    ═══════════════                  ════════════════             ═══════════════
    
    ✅ Primary: Read/Write            🚫 Service Unavailable       ✅ New Primary: R/W
    📖 Secondary: Read (RA-*)         ⏰ 15+ minute downtime       🚫 No secondary region
    🔄 Auto-replication active        📊 DNS propagation delay     ⚠️ Data loss possible
    🌍 Two-region protection          ⚙️ Azure manages process     💰 Single-region billing
    
    Data Consistency:                 Recovery Considerations:      Post-Failover Actions:
    ═════════════════                ════════════════════════     ════════════════════════
    
    📊 Last Sync Time (LST):          🎯 RTO: ~15 minutes          🔄 Test applications
    • GRS: Up to 15 min data loss     🎯 RPO: Up to 15 minutes     📝 Update monitoring
    • GZRS: Up to 15 min data loss    📱 Manual initiation only    🚨 Plan fail-back
    • ZRS/LRS: Not applicable         🔧 Cannot be cancelled       ⚙️ Reconfigure DR
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                     🎯 FAILOVER DECISION MATRIX                │
    └─────────────────────────────────────────────────────────────────┘
    
    Initiate Failover When:           Don't Failover When:         Alternative Actions:
    ═══════════════════════          ════════════════════          ═══════════════════
    
    ✅ Primary region down >1 hour   ❌ Short-term outages         🔄 Wait for recovery
    ✅ Azure confirms region issue   ❌ Isolated connectivity      🔧 Check network path
    ✅ Business operations halted    ❌ Application errors only    🐛 Debug applications  
    ✅ RTO requirements exceeded     ❌ Uncertain data loss        🕒 Monitor LST closely
    ✅ DR plan activation needed     ❌ Testing scenarios          🧪 Use test accounts
    
    Business Continuity Planning:
    ═══════════════════════════════
    
    📋 Pre-Event Preparation:
    • Document failover procedures
    • Test with non-production accounts
    • Define RTO/RPO requirements
    • Create monitoring alerts
    • Train operations team
    
    🚨 During Event:
    • Assess outage scope
    • Check Azure status dashboard
    • Verify last sync time
    • Coordinate with business stakeholders
    • Execute failover if criteria met
    
    ✅ Post-Event Recovery:
    • Verify application functionality
    • Monitor performance metrics
    • Plan failback when possible
    • Document lessons learned
    • Update DR procedures

Study this concept interactively in the AZ-104 app →

Create and Configure Azure File Shares

Explanation

Azure File Shares provide fully managed file shares in the cloud accessible via SMB and NFS protocols. They can be mounted on Windows, Linux, and macOS, offering shared storage for applications and users.

Examples

Creating file shares for application data, user home directories, configuration files, shared content between VMs, lift-and-shift scenarios.

Enterprise Use Case

Organizations use Azure Files for shared application storage, user file storage, configuration management, backup storage, and replacing on-premises file servers.

Diagram

Azure File Share Architecture & Access Methods:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    📁 AZURE FILES ECOSYSTEM                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Storage Account Container            File Share Access Methods
    ═══════════════════════════         ══════════════════════════════
    
    💾 Storage Account: "companyfiles"   🔗 SMB 3.0/2.1 Protocol
    ┌─────────────────────────────┐     ┌───────────────────────────┐
    │  📂 File Shares:            │     │ 🖥️ Windows Clients        │
    │                             │     │ • net use Z: \\storage   │
    │  📁 "userfiles" (100 GB)    │◄────┤ • File Explorer access   │
    │  📁 "appdata" (50 GB)       │     │ • Drive mapping           │
    │  📁 "backups" (500 GB)      │     └───────────────────────────┘
    │  📁 "shared" (200 GB)       │              ▲
    │                             │              │
    │  🔒 Access Control:         │              │ Mount
    │  • Storage account keys     │              │
    │  • SAS tokens              │              ▼
    │  • Azure AD (Premium)      │     ┌───────────────────────────┐
    │                             │     │ 🐧 Linux/macOS Clients    │
    │  🌡️ Performance Tiers:      │     │ • mount -t cifs           │
    │  • Standard (HDD)           │◄────┤ • /etc/fstab entries      │
    │  • Premium (SSD)            │     │ • POSIX permissions       │
    └─────────────────────────────┘     └───────────────────────────┘
                 │                              ▲
                 ▼                              │
    ┌─────────────────────────────┐              │
    │  🔧 Configuration Options:  │              │
    │                             │              │
    │  💰 Pricing Model:          │              │
    │  • Pay for provisioned      │              │
    │  • No minimum commitment    │              │
    │                             │              │
    │  🚀 Features:               │              │
    │  • Snapshots               │              │
    │  • Soft delete             │              │
    │  • File sync               │              │
    │  • Backup integration      │              │
    └─────────────────────────────┘              │
                 │                              │
                 ▼                              │
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🌐 REST API ACCESS                           │
    │                                                                 │
    │  📡 HTTPS REST API:                                            │
    │  https://companyfiles.file.core.windows.net/userfiles/file.txt │
    │                                                                 │
    │  🔑 Authentication Options:                                     │
    │  • Storage account key                                          │
    │  • Shared access signature (SAS)                               │
    │  • Azure AD authentication (Premium)                           │
    └─────────────────────────────────────────────────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                   ⚙️ CREATION & MANAGEMENT                     │
    └─────────────────────────────────────────────────────────────────┘
    
    Portal Creation:                   CLI Creation:                  PowerShell Creation:
    ════════════════                  ══════════════                 ═══════════════════════
    
    🌐 Azure Portal                   💻 Azure CLI                   ⚡ PowerShell
    1. Navigate to Storage            az storage share create \      New-AzStorageShare \
    2. File shares section              --name "myshare" \            -Name "myshare" \
    3. Create file share                --account-name "storage" \    -Context $ctx \
    4. Set quota (1-100TB)              --quota 100                    -Quota 100
    5. Configure access tier
    6. Review and create              # Mount command                # Get access key
                                     sudo mount -t cifs \          $key = Get-AzStorageAccountKey \
    🎯 Use Cases:                      //storage.file.core.           -ResourceGroupName $rg \
    • Initial setup                     windows.net/myshare \        -Name $storage
    • Learning Azure Files              /mnt/myshare \
    • Small deployments                 -o credentials=/etc/          # Create context  
    • Visual configuration              samba/credentials             $ctx = New-AzStorageContext \
                                                                      -StorageAccountName $storage \
                                                                      -StorageAccountKey $key.Value[0]

Study this concept interactively in the AZ-104 app →

Azure File Sync

Explanation

Azure File Sync enables centralization of file shares in Azure Files while maintaining on-premises file server performance and compatibility. It provides cloud tiering and multi-site sync capabilities.

Examples

Syncing on-premises file servers to Azure, cloud tiering for storage optimization, branch office file consolidation, disaster recovery for file servers.

Enterprise Use Case

Enterprises use Azure File Sync for hybrid file storage, reducing on-premises storage costs, centralizing file management, and providing disaster recovery for file services.

Diagram

Azure File Sync Hybrid Architecture:

    ┌─────────────────────────────────────────────────────────────────┐
    │                  ☁️ AZURE FILE SYNC TOPOLOGY                    │
    └─────────────────────────────────────────────────────────────────┘
    
    On-premises Environment             Azure Cloud Environment
    ═══════════════════════════        ══════════════════════════
    
    🏢 Head Office                     ☁️ Azure Files
    ┌─────────────────────┐            ┌─────────────────────────┐
    │ 🖥️ File Server       │           │ 📁 Azure File Share     │
    │                     │◄─────────►│                         │
    │ • Local hot files   │   Sync     │ • Complete dataset      │
    │ • Frequently used   │            │ • All file versions     │
    │ • Cache tier        │            │ • Metadata & security   │
    │                     │            │ • Unlimited capacity    │
    │ 💾 Local Storage:   │            └─────────────────────────┘
    │ • 2TB local cache   │                        │
    │ • 100TB in cloud    │                        │ Sync
    └─────────────────────┘                        ▼
               │                          ┌─────────────────────────┐
               │ Sync                     │ 🔄 Storage Sync Service │
               ▼                          │                         │
    🏪 Branch Office 1                    │ • Sync orchestration    │
    ┌─────────────────────┐               │ • Policy management     │
    │ 🖥️ File Server       │◄─────────────┤ • Health monitoring     │
    │                     │   Sync        │ • Conflict resolution   │
    │ • Local cache       │               └─────────────────────────┘
    │ • Branch-specific   │                        ▲
    │   files            │                        │ Sync
    └─────────────────────┘                        │
               │                                   │
               │ Sync                             ▼
               ▼                          ┌─────────────────────────┐
    🏪 Branch Office 2                    │ 📊 Sync Group           │
    ┌─────────────────────┐               │                         │
    │ 🖥️ File Server       │◄─────────────┤ • Server endpoints      │
    │                     │   Sync        │ • Cloud endpoints       │
    │ • Local cache       │               │ • Sync topology         │
    │ • Branch-specific   │               │ • Conflict policies     │
    │   files            │               └─────────────────────────┘
    └─────────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🌤️ CLOUD TIERING WORKFLOW                    │
    └─────────────────────────────────────────────────────────────────┘
    
    File Access Pattern               Tiering Decision              Storage Location
    ═══════════════════              ════════════════              ════════════════
    
    🔥 Hot Files (Recent)             ⬇️ Keep Local                🖥️ Local Server
    ┌─────────────────────┐           ┌─────────────────┐          ┌─────────────────┐
    │ • Accessed today    │           │ ✅ Cache locally │          │ • Fast access   │
    │ • Modified recently │──────────►│ • Full content   │─────────►│ • LAN speed     │
    │ • Frequently used   │           │ • No download    │          │ • No latency    │
    └─────────────────────┘           └─────────────────┘          └─────────────────┘
    
    🌡️ Warm Files (Older)             ⬆️⬇️ Tier Intelligently      ☁️ Azure + Local
    ┌─────────────────────┐           ┌─────────────────┐          ┌─────────────────┐
    │ • 30+ days old      │           │ 📊 Metadata only │          │ • On-demand     │
    │ • Infrequent access │──────────►│ • Download on    │─────────►│   download      │
    │ • Large files       │           │   access         │          │ • Cloud storage │
    └─────────────────────┘           └─────────────────┘          └─────────────────┘
    
    ❄️ Cold Files (Archive)           ⬆️ Tier to Cloud             ☁️ Azure Files Only
    ┌─────────────────────┐           ┌─────────────────┐          ┌─────────────────┐
    │ • 90+ days old      │           │ 🗂️ Stub files    │          │ • Full in cloud │
    │ • Rarely accessed   │──────────►│ • Pointer only   │─────────►│ • Download req  │
    │ • Archive data      │           │ • Space reclaim  │          │ • Cost optimized│
    └─────────────────────┘           └─────────────────┘          └─────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    🎯 DEPLOYMENT & MANAGEMENT                   │
    └─────────────────────────────────────────────────────────────────┘
    
    Setup Process:                    Management Features:           Benefits:
    ══════════════                   ═══════════════════           ═════════
    
    1️⃣ Deploy Storage Sync Service   📊 Monitoring Dashboard:      💰 Cost Reduction:
    2️⃣ Register Windows Servers      • Sync health status          • Reduce local storage
    3️⃣ Create Sync Group             • File statistics             • Optimize capacity
    4️⃣ Add Cloud Endpoint            • Error reporting             
    5️⃣ Add Server Endpoints          • Performance metrics         🚀 Performance:
    6️⃣ Configure Cloud Tiering       • Bandwidth usage             • Local speed for hot files
    7️⃣ Monitor Sync Health                                         • Global file access
                                     🔄 Sync Policies:             
    Prerequisites:                   • Conflict resolution          🔒 Security:
    ══════════════                  • File filtering               • Encryption in transit
    • Windows Server 2012 R2+       • Bandwidth throttling         • Identity integration
    • PowerShell 5.1+               • Schedule control              • Access control lists
    • .NET Framework 4.7.2+         • Version history              
    • 64-bit OS                     • Snapshot integration         📈 Scalability:
    • NTFS file system                                             • Unlimited cloud storage
                                                                   • Multiple server sync
                                                                   • Branch office support

Study this concept interactively in the AZ-104 app →

Configure Blob Lifecycle Management

Explanation

Blob lifecycle management automates moving blobs between access tiers (Hot, Cool, Archive) based on age and access patterns. It helps optimize storage costs by automatically transitioning data to cheaper tiers.

Examples

Moving 30-day old blobs to Cool tier, archiving 90-day old data, deleting old backup files, optimizing media storage costs, automating data retention policies.

Enterprise Use Case

Organizations use lifecycle policies for cost optimization, regulatory compliance, automatic data archival, backup retention management, and large-scale data management.

Diagram

Azure Blob Lifecycle Management:

┌─────────────────────────────────────────────────────────────────┐
│                    📊 BLOB LIFECYCLE FRAMEWORK                 │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🔥 HOT TIER (Frequent Access)     📜 LIFECYCLE RULES        ❄️ ARCHIVE TIER (Cold Storage)
┌─────────────────────────────┐   ┌─────────────────────┐   ┌─────────────────────────────┐
│ • New uploads               │   │ {                   │   │ • 90+ days old              │
│ • Active data               │   │   "rules": [{        │   │ • Rarely accessed           │
│ • $0.018/GB/month          │   │     "enabled": true, │   │ • $0.00099/GB/month        │
│ • Instant access            │   │     "type": "Lifecy-│   │ • Retrieval time: hours     │
└─────────────────────────────┘   │      cle",           │   └─────────────────────────────┘
              │                   │     "definition": { │                     ▲
              ▼                   │       "filters": {  │                     │
💧 COOL TIER (Infrequent)         │         "blobTypes":│                     │
┌─────────────────────────────┐   │         ["blockBlob"]│                     │
│ • 30+ days old              │   │       },            │                     │
│ • Monthly access            │───│       "actions": {  │─────────────────────┘
│ • $0.01/GB/month           │   │         "version": { │
│ • Quick access              │   │           "tierTo-  │
└─────────────────────────────┘   │           Archive": │
                                  │           {"daysAf- │
┌─────────────────────────────────┐│           terModifi-│
│         🎯 AUTOMATION RULES     ││           cationGrea-│
│                                 ││           terThan": │
│ Age-Based Transitions:          ││           90}       │
│ ┌─ 0-30 days ──► HOT           ││         }           │
│ ├─ 30-90 days ─► COOL          ││       }             │
│ └─ 90+ days ───► ARCHIVE       ││     }]              │
│                                 ││   }                 │
│ Access Pattern Rules:           │└─────────────────────┘
│ • Modify frequency detection    │
│ • Last access tracking         │    ⚙️ Management Commands:
│ • Automatic tier optimization  │    ═══════════════════════
│                                 │    
│ Cost Optimization:              │    # Create lifecycle policy
│ • Up to 70% storage savings     │    az storage account 
│ • Automated transitions         │      management-policy create 
│ • No manual intervention        │      --account-name mystorageacct 
│                                 │      --policy @policy.json
└─────────────────────────────────┘    
                                       # Update existing policy
🔄 TRANSITION FLOW:                     az storage account 
══════════════════                     management-policy set 
                                         --account-name mystorageacct 
Create Blob → Hot (0-29 days)            --policy @updated-policy.json
     ↓
Age Rule → Cool (30-89 days)           # View current policy
     ↓                                 az storage account 
Age Rule → Archive (90+ days)           management-policy show 
     ↓                                   --account-name mystorageacct
Optional → Delete (retention end)

💰 COST COMPARISON (per GB/month):
═══════════════════════════════════
Hot:     $0.0184  (100% cost)
Cool:    $0.0100  (46% savings)
Archive: $0.00099 (95% savings)

🏆 BENEFITS:
• Automatic cost optimization
• Compliance with retention policies  
• No manual tier management
• Significant storage cost reduction

Study this concept interactively in the AZ-104 app →

Configure Blob Versioning

Explanation

Blob versioning automatically creates a new version when a blob is modified, providing data protection against accidental changes or deletions. Each version is immutable and has a unique version ID.

Examples

Protecting against accidental overwrites, maintaining file history for compliance, rollback capabilities for applications, data corruption recovery, audit trail maintenance.

Enterprise Use Case

Organizations use blob versioning for data protection, compliance requirements, application rollback scenarios, protecting against ransomware, and maintaining change history.

Diagram

Blob Versioning & Data Protection:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    📚 BLOB VERSION LIFECYCLE                    │
    └─────────────────────────────────────────────────────────────────┘
    
    Initial Creation                  Modification Events             Version Management
    ════════════════                 ═══════════════════             ═══════════════════
    
    📄 Original File                  🔄 Version 1 Creation          📊 Version History
    ┌─────────────────┐               ┌─────────────────┐             ┌─────────────────┐
    │ document.docx   │               │ • User edits    │             │ Current Version │
    │                 │──────────────►│ • Content change│────────────►│ (Version 2)     │
    │ Version: Current│               │ • Save operation│             │                 │
    │ Size: 1.2 MB    │               └─────────────────┘             │ • Latest data   │
    │ Modified: 9 AM  │                        │                     │ • Read/Write    │
    └─────────────────┘                        ▼                     │ • Primary access│
                                     ┌─────────────────┐             └─────────────────┘
                                     │ Auto Versioning │                      │
                                     │                 │                      │
                                     │ • Original →    │                      ▼
                                     │   Version 1     │             ┌─────────────────┐
                                     │ • New content → │             │ Previous Versions│
                                     │   Current       │             │                 │
                                     └─────────────────┘             │ 📚 Version 1    │
                                              │                     │ • Immutable     │
                                              ▼                     │ • Read-only     │
    🔄 Subsequent Changes             ┌─────────────────┐             │ • Point-in-time │
    ┌─────────────────┐               │ Version 2       │             │ • Full content  │
    │ More edits      │               │ • Current blob  │             │                 │
    │ • 11 AM change  │──────────────►│ • Active version│             │ 📚 Version 0    │
    │ • 2 PM change   │               │ • Latest data   │             │ • Original      │
    │ • 5 PM change   │               └─────────────────┘             │ • Immutable     │
    └─────────────────┘                        │                     │ • Historical    │
                                              ▼                     └─────────────────┘
                                     ┌─────────────────┐
                                     │ Version Chain   │
                                     │                 │
                                     │ Current ←──── 2 │
                                     │    ↑           │
                                     │ Version 1 ←─── │
                                     │    ↑           │
                                     │ Version 0      │
                                     │ (Original)     │
                                     └─────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                   🔒 DATA PROTECTION SCENARIOS                  │
    └─────────────────────────────────────────────────────────────────┘
    
    Accidental Deletion              Ransomware Attack               Application Rollback
    ════════════════════             ═══════════════════             ════════════════════
    
    😱 Problem:                      🦠 Problem:                     🐛 Problem:
    ┌─────────────────┐               ┌─────────────────┐             ┌─────────────────┐
    │ User deletes    │               │ Malware encrypts│             │ App update      │
    │ important file  │               │ critical files  │             │ corrupts data   │
    │ accidentally    │               │ for ransom      │             │ format          │
    └─────────────────┘               └─────────────────┘             └─────────────────┘
             │                               │                               │
             ▼                               ▼                               ▼
    ✅ Solution:                     ✅ Solution:                    ✅ Solution:
    ┌─────────────────┐               ┌─────────────────┐             ┌─────────────────┐
    │ • Soft delete   │               │ • Previous      │             │ • Roll back to  │
    │   protection    │               │   versions      │             │   last known    │
    │ • Version       │               │   unaffected    │             │   good version  │
    │   recovery      │               │ • Point-in-time │             │ • Compare       │
    │ • Audit trail   │               │   recovery      │             │   versions      │
    └─────────────────┘               └─────────────────┘             └─────────────────┘
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                    ⚙️ CONFIGURATION & MANAGEMENT               │
    └─────────────────────────────────────────────────────────────────┘
    
    Enable Versioning:                Version Access Methods:         Cost Management:
    ═══════════════════              ══════════════════════          ════════════════
    
    🌐 Portal:                       📡 REST API:                    💰 Lifecycle Policies:
    • Storage account settings        GET blob?versionId={id}         • Delete old versions
    • Data protection                                                • Move to cool/archive
    • Blob versioning: Enabled       💻 CLI:                        • Retention policies
                                     az storage blob show \
    💻 CLI:                            --name file.txt \            📊 Monitoring:
    az storage account update \        --version-id "2024..."       • Version counts
      --name mystorageaccount \                                     • Storage consumption
      --enable-versioning true        ⚡ PowerShell:                • Access patterns
                                     Get-AzStorageBlob \           • Cost analysis
    ⚡ PowerShell:                     -Name "file.txt" \
    Set-AzStorageServiceProperty \     -VersionId "2024..."         🔄 Automation:
      -ServiceType Blob \                                          • Version cleanup scripts
      -EnableVersioning $true         🔗 Direct URL:                • Compliance reporting
                                     https://account.blob.core.     • Backup validation
                                     windows.net/container/blob?   • Change notifications
                                     versionId={version-id}
    
    ┌─────────────────────────────────────────────────────────────────┐
    │                     🎯 BEST PRACTICES                           │
    └─────────────────────────────────────────────────────────────────┘
    
    Security Best Practices:          Performance Considerations:     Compliance Benefits:
    ════════════════════════         ═══════════════════════        ═══════════════════
    
    🔐 Access Control:               🚀 Optimization:                📋 Regulatory:
    • RBAC for version access        • Lifecycle policies for old    • SOX compliance
    • SAS tokens with version        • versions                     • GDPR data history
    • Audit version access          • Monitor storage costs        • HIPAA audit trails
                                    • Version-specific caching      
    🛡️ Protection:                  
    • Combine with soft delete      📊 Monitoring:                  💼 Business:
    • Version-aware backups         • Track version counts          • Change management
    • Immutable storage tiers       • Storage growth analysis       • Data lineage
                                    • Access pattern monitoring     • Quality assurance
    🔍 Monitoring:                  
    • Version creation alerts       🎯 Application Integration:      🔄 Operational:
    • Unusual access patterns       • Version-aware app design     • Disaster recovery
    • Storage growth tracking       • Rollback procedures          • Incident response
                                    • Testing with versions         • Change tracking

Study this concept interactively in the AZ-104 app →

Azure Virtual Machines

Explanation

Infrastructure-as-a-Service (IaaS) compute service that provides on-demand, scalable computing resources. VMs give you full control over the operating system and applications, supporting both Windows and Linux with various sizes and configurations.

Examples

Hosting web applications, running development/test environments, extending on-premises infrastructure, running legacy applications, high-performance computing workloads, batch processing jobs.

Enterprise Use Case

Companies use VMs for lift-and-shift migrations, when they need full OS control, for applications requiring specific configurations, disaster recovery, and when migrating from physical servers.

Diagram

Azure Virtual Machine Architecture & Management:
┌─────────────────────────────────────────────────────────────────┐
│                  💻 AZURE VIRTUAL MACHINE LIFECYCLE            │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🏗️ VM CREATION                                    ⚙️ VM CONFIGURATION
┌─────────────────────┐                    ┌─────────────────────┐
│ Planning & Sizing:  │                    │ Operating System:   │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Size Categories: │ │───►                │ │Windows Server   │ │
│ │• General Purpose│ │    │               │ │• 2019/2022      │ │
│ │• Compute Optimized│    │               │ │• Desktop        │ │
│ │• Memory Optimized│ │    │               │ │                 │ │
│ │• Storage Optimized│    │               │ │Linux Distros:   │ │
│ │• GPU Accelerated│ │    ▼               │ │• Ubuntu/CentOS  │ │
│ └─────────────────┘ │ [RESOURCE]         │ │• RHEL/SUSE      │ │
│                     │ [ALLOCATION]       │ └─────────────────┘ │
│ Resource Planning:  │    │               │                     │
│ • vCPUs: 1-128     │    │               │ Storage Config:     │
│ • RAM: 0.5GB-3.8TB │    │               │ • OS Disk (Premium) │
│ • Storage: HDD/SSD │    │               │ • Data Disks (0-64) │
│ • Network: 1-15Gbps│    │               │ • Managed Disks     │
└─────────────────────┘    │               └─────────────────────┘
                           │
                           ▼
🌐 NETWORKING ARCHITECTURE                   📊 MONITORING & MANAGEMENT
┌─────────────────────┐                    ┌─────────────────────┐
│ Network Components: │                    │ Azure Monitor:      │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Virtual Network  │ │                    │ │Performance:     │ │
│ │├─ Subnets       │ │                    │ │• CPU/Memory     │ │
│ │├─ Address Space │ │                    │ │• Disk I/O       │ │
│ │└─ DNS Settings  │ │                    │ │• Network        │ │
│ └─────────────────┘ │                    │ └─────────────────┘ │
│                     │                    │                     │
│ Security Groups:    │                    │ Backup & Recovery:  │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Network NSG      │ │                    │ │Azure Backup    │ │
│ │├─ Inbound Rules │ │                    │ │├─ Daily/Weekly  │ │
│ │├─ Outbound Rules│ │                    │ │├─ Retention     │ │
│ │└─ Service Tags  │ │                    │ │└─ Point-in-Time │ │
│ └─────────────────┘ │                    │ └─────────────────┘ │
│                     │                    │                     │
│ Public Connectivity:│                    │ Update Management:  │
│ • Public IP (Static)│                    │ • OS Updates        │
│ • Load Balancer     │                    │ • Security Patches  │
│ • Application GW    │                    │ • Extension Updates │
└─────────────────────┘                    └─────────────────────┘

🔧 VM MANAGEMENT OPERATIONS
┌─────────────────────────────────────────────────────────────────┐
│ Power Management:     │ Scaling Options:      │ Maintenance:      │
│ • Start/Stop/Restart  │ • Vertical (Resize)   │ • OS Updates      │
│ • Deallocate         │ • Horizontal (Scale   │ • Security Patches│
│ • Auto-shutdown      │   Sets/VMSS)          │ • Backup Jobs     │
├─────────────────────────────────────────────────────────────────┤
│ Security Features:    │ Extensions:           │ Cost Optimization:│
│ • Azure Security     │ • Custom Scripts      │ • Reserved Instances│
│ • Just-in-Time       │ • Monitoring Agents   │ • Spot Instances   │
│ • Disk Encryption    │ • Antimalware         │ • Auto-shutdown    │
└─────────────────────────────────────────────────────────────────┘

VM Sizing Categories:
────────────────────
B-series:  💡 Burstable (Dev/Test)         D-series:  ⚡ General Purpose
E-series:  🧠 Memory-Optimized (Databases) F-series:  🚀 Compute-Optimized 
G-series:  💾 Storage-Optimized (Big Data) N-series:  🎮 GPU-Accelerated (AI/ML)

Study this concept interactively in the AZ-104 app →

Azure App Service

Explanation

Platform-as-a-Service (PaaS) for hosting web applications, REST APIs, and mobile backends. Supports multiple programming languages and frameworks with built-in auto-scaling, load balancing, and deployment slots. Manages infrastructure automatically.

Examples

Hosting .NET/Java/Python web apps, REST APIs for mobile applications, e-commerce websites, internal business applications, microservices architectures, progressive web apps (PWAs).

Enterprise Use Case

Ideal for developers who want to focus on code rather than infrastructure. Used for modern web applications, API hosting, rapid development cycles, and applications requiring built-in DevOps capabilities.

Diagram

Azure App Service Platform Architecture:
┌─────────────────────────────────────────────────────────────────┐
│                    🚀 APP SERVICE PLATFORM                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
📁 APPLICATION DEPLOYMENT                    ⚙️ SERVICE CONFIGURATION
┌─────────────────────┐                    ┌─────────────────────┐
│ Supported Runtimes: │                    │ App Service Plans:  │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │.NET Framework  │ │───►                │ │Free/Shared      │ │
│ │.NET Core/5+    │ │    │               │ │• 1GB RAM        │ │
│ │Java (8,11,17)  │ │    │               │ │• 1GB Storage    │ │
│ │Python (3.x)    │ │    │               │ │• Shared compute │ │
│ │Node.js (LTS)   │ │    ▼               │ └─────────────────┘ │
│ │PHP (7.x/8.x)   │ │ [DEPLOYMENT]       │                     │
│ │Ruby (2.x)      │ │ [ENGINE]           │ ┌─────────────────┐ │
│ └─────────────────┘ │    │               │ │Basic/Standard   │ │
│                     │    │               │ │• Dedicated VMs  │ │
│ Deployment Methods: │    │               │ │• Auto-scale     │ │
│ • Git (GitHub/Azure)│    │               │ │• Custom domains │ │
│ • ZIP/WAR uploads   │    │               │ │• SSL certs      │ │
│ • Docker containers │    │               │ └─────────────────┘ │
│ • FTP/FTPS         │    │               │                     │
│ • CI/CD pipelines   │    │               │ ┌─────────────────┐ │
└─────────────────────┘    │               │ │Premium/Isolated │ │
                           │               │ │• High performance│ │
                           ▼               │ │• Advanced scale │ │
🌐 PLATFORM SERVICES                       │ │• VNet integration│ │
┌─────────────────────┐                    │ └─────────────────┘ │
│ Built-in Features:  │                    └─────────────────────┘
│ ┌─────────────────┐ │
│ │Authentication   │ │                    🔧 MANAGEMENT & OPERATIONS
│ │├─ Azure AD      │ │                    ┌─────────────────────┐
│ │├─ Social (FB/   │ │                    │ Deployment Slots:   │
│ ││   Google/etc)  │ │                    │ ┌─────────────────┐ │
│ │└─ Custom        │ │                    │ │Production       │ │
│ └─────────────────┘ │                    │ │├─ Live traffic  │ │
│                     │                    │ │└─ Blue/Green    │ │
│ ┌─────────────────┐ │                    │ │                 │ │
│ │SSL/TLS Certs    │ │                    │ │Staging          │ │
│ │├─ Managed certs │ │                    │ │├─ Pre-prod test │ │
│ │├─ Custom certs  │ │                    │ │├─ Swap slots    │ │
│ │└─ SNI/IP SSL    │ │                    │ │└─ Traffic split │ │
│ └─────────────────┘ │                    │ └─────────────────┘ │
│                     │                    │                     │
│ ┌─────────────────┐ │                    │ Auto-Scaling Rules: │
│ │Load Balancing   │ │                    │ ┌─────────────────┐ │
│ │├─ Built-in LB   │ │                    │ │CPU Percentage   │ │
│ │├─ Traffic Mgr   │ │                    │ │Memory Usage     │ │
│ │└─ App Gateway   │ │                    │ │HTTP Queue       │ │
│ └─────────────────┘ │                    │ │Custom Metrics   │ │
│                     │                    │ └─────────────────┘ │
│ ┌─────────────────┐ │                    │                     │
│ │Monitoring       │ │                    │ Backup & Restore:   │
│ │├─ App Insights  │ │                    │ • Automated backups │
│ │├─ Metrics       │ │                    │ • Point-in-time     │
│ │├─ Logs          │ │                    │ • Custom schedules  │
│ │└─ Alerts        │ │                    │ • Cross-region copy │
│ └─────────────────┘ │                    └─────────────────────┘
└─────────────────────┘

💡 DEVELOPMENT WORKFLOW INTEGRATION
┌─────────────────────────────────────────────────────────────────┐
│ DevOps Integration: │ Connection Strings:  │ Configuration:      │
│ • GitHub Actions    │ • Key Vault secrets  │ • App Settings      │
│ • Azure DevOps     │ • Connection pooling │ • Environment vars  │
│ • Docker Hub       │ • Managed Identity   │ • Feature flags     │
├─────────────────────────────────────────────────────────────────┤
│ Database Support:   │ Networking:          │ Security Features:  │
│ • Azure SQL        │ • VNet Integration   │ • WAF protection    │
│ • MySQL/PostgreSQL │ • Private Endpoints  │ • IP restrictions   │
│ • CosmosDB         │ • Hybrid connections │ • CORS policies     │
└─────────────────────────────────────────────────────────────────┘

App Service Types:
─────────────────
🌐 Web Apps:     Standard web applications, APIs, and static sites
📱 Mobile Apps:  Backend services for mobile applications  
🔧 API Apps:     REST/SOAP APIs with Swagger documentation
⚡ Function Apps: Serverless compute for event-driven code

Study this concept interactively in the AZ-104 app →

Azure Container Instances (ACI)

Explanation

Serverless container service that runs containers without managing virtual machines or orchestrators. Fastest way to run a container in Azure with per-second billing. Ideal for isolated containers, burst scaling, and development scenarios.

Examples

Running batch jobs, CI/CD build agents, burst scaling for applications, running isolated workloads, development and testing environments, event-driven processing.

Enterprise Use Case

Used for simple container workloads, short-running tasks, development environments, and as compute targets for Azure Container Apps or Azure Kubernetes Service overflow scenarios.

Diagram

Azure Container Instances (ACI) Serverless Architecture:
┌─────────────────────────────────────────────────────────────────┐
│                   📦 CONTAINER INSTANCES PLATFORM              │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🏗️ CONTAINER DEPLOYMENT                      ⚙️ EXECUTION ENVIRONMENT
┌─────────────────────┐                    ┌─────────────────────┐
│ Image Sources:      │                    │ Container Groups:   │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Docker Hub       │ │───►                │ │Single Container │ │
│ │• Public images  │ │    │               │ │├─ Simple apps   │ │
│ │• Official repos │ │    │               │ │├─ Microservices │ │
│ │• Community      │ │    │               │ │└─ Batch jobs    │ │
│ └─────────────────┘ │    ▼               │ └─────────────────┘ │
│                     │ [PULL &]           │                     │
│ ┌─────────────────┐ │ [DEPLOY]           │ ┌─────────────────┐ │
│ │Azure Container  │ │    │               │ │Multi-Container  │ │
│ │Registry (ACR)   │ │    │               │ │├─ Sidecar apps  │ │
│ │├─ Private images│ │    │               │ │├─ Shared storage│ │
│ │├─ Geo-replication││   │               │ │├─ Network share │ │
│ │└─ Security scan │ │    │               │ │└─ Init containers││
│ └─────────────────┘ │    │               │ └─────────────────┘ │
│                     │    │               │                     │
│ ┌─────────────────┐ │    │               │ Resource Allocation:│
│ │Private Registry │ │    │               │ ┌─────────────────┐ │
│ │├─ Custom repos  │ │    │               │ │CPU: 0.1-4 cores│ │
│ │├─ Harbor/GitLab │ │    │               │ │Memory: 0.1-16GB │ │
│ │└─ On-premises   │ │    │               │ │GPU: Optional    │ │
│ └─────────────────┘ │    │               │ └─────────────────┘ │
└─────────────────────┘    │               └─────────────────────┘
                           │
                           ▼
🌐 NETWORKING & STORAGE                      📊 MANAGEMENT & MONITORING
┌─────────────────────┐                    ┌─────────────────────┐
│ Network Options:    │                    │ Lifecycle Control:  │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Public IP        │ │                    │ │Restart Policies │ │
│ │├─ Dynamic/Static│ │                    │ │├─ Always        │ │
│ │├─ IPv4/IPv6     │ │                    │ │├─ OnFailure     │ │
│ │└─ DNS name      │ │                    │ │├─ Never         │ │
│ └─────────────────┘ │                    │ │└─ Custom        │ │
│                     │                    │ └─────────────────┘ │
│ ┌─────────────────┐ │                    │                     │
│ │Virtual Network  │ │                    │ Monitoring & Logs:  │
│ │├─ VNet integration││                   │ ┌─────────────────┐ │
│ │├─ Private IPs   │ │                    │ │Container Logs   │ │
│ │├─ Subnet config │ │                    │ │├─ STDOUT/STDERR │ │
│ │└─ NSG rules     │ │                    │ │├─ Custom logs   │ │
│ └─────────────────┘ │                    │ │└─ Log Analytics │ │
│                     │                    │ └─────────────────┘ │
│ ┌─────────────────┐ │                    │                     │
│ │Storage Volumes  │ │                    │ ┌─────────────────┐ │
│ │├─ Azure Files   │ │                    │ │Health Probes    │ │
│ │├─ EmptyDir      │ │                    │ │├─ Liveness      │ │
│ │├─ Secret mounts │ │                    │ │├─ Readiness     │ │
│ │└─ ConfigMaps    │ │                    │ │└─ Startup       │ │
│ └─────────────────┘ │                    │ └─────────────────┘ │
└─────────────────────┘                    └─────────────────────┘

⚡ SERVERLESS CHARACTERISTICS
┌─────────────────────────────────────────────────────────────────┐
│ Billing Model:        │ Performance:          │ Use Cases:        │
│ • Per-second billing  │ • Fast cold start     │ • Batch processing│
│ • No idle charges     │ • Sub-second deploy   │ • CI/CD agents    │
│ • Pay per resource    │ • Auto-termination    │ • Event processing│
├─────────────────────────────────────────────────────────────────┤
│ Scaling Limits:       │ Security Features:    │ Integration:      │
│ • No orchestration    │ • Managed Identity    │ • Logic Apps      │
│ • Manual scaling only │ • Private networking  │ • Azure Functions │
│ • Max 60 CPU cores    │ • Container scanning  │ • Event Grid      │
└─────────────────────────────────────────────────────────────────┘

Container Instance States:
─────────────────────────
🚀 Pending:     Image pull and resource allocation in progress
🟢 Running:     Container is actively executing and healthy  
⏸️ Terminated: Container completed or failed (exit codes preserved)
🔄 Restarting: Automatic restart based on restart policy

Study this concept interactively in the AZ-104 app →

ARM Templates & Bicep Files

Explanation

**Explanation**: Infrastructure-as-Code (IaC) service for Azure that allows you to define and deploy Azure resources using JSON (ARM) or Bicep declarative syntax. Templates provide consistency, version control, and repeatable deployments across environments.

Examples

**Examples**: Deploying entire application stacks, creating development/staging/production environments, automating infrastructure provisioning, implementing CI/CD pipelines for infrastructure, managing resource dependencies and configurations.

Enterprise Use Case

**Use Case**: Enterprise teams use ARM templates for consistent deployments across multiple environments, reducing manual configuration errors, implementing infrastructure governance, and enabling DevOps practices for cloud infrastructure management.

Diagram

ARM Templates & Bicep Infrastructure-as-Code Platform:
┌─────────────────────────────────────────────────────────────────┐
│                📝 INFRASTRUCTURE-AS-CODE LIFECYCLE             │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🛠️ TEMPLATE DEVELOPMENT                      ⚡ DEPLOYMENT METHODS
┌─────────────────────┐                    ┌─────────────────────┐
│ Template Formats:   │                    │ Deployment Scopes:  │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │ARM (JSON)       │ │───►                │ │Management Group │ │
│ │├─ Complex syntax│ │    │               │ │├─ Organization  │ │
│ │├─ Verbose       │ │    │               │ │└─ Multi-tenant  │ │
│ │└─ Full features │ │    ▼               │ └─────────────────┘ │
│ └─────────────────┘ │ [VALIDATION]       │                     │
│                     │ [& PREVIEW]        │ ┌─────────────────┐ │
│ ┌─────────────────┐ │    │               │ │Subscription     │ │
│ │Bicep Language   │ │    │               │ │├─ Cross-service │ │
│ │├─ Simple syntax │ │    │               │ │├─ Environment   │ │
│ │├─ Type safety   │ │    │               │ │└─ Multi-region  │ │
│ │├─ IntelliSense  │ │    │               │ └─────────────────┘ │
│ │└─ Transpiles    │ │    │               │                     │
│ │   to ARM        │ │    │               │ ┌─────────────────┐ │
│ └─────────────────┘ │    │               │ │Resource Group   │ │
│                     │    │               │ │├─ Application   │ │
│ Template Structure: │    │               │ │├─ Service tier  │ │
│ • $schema          │    │               │ │└─ Single app    │ │
│ • contentVersion   │    │               │ └─────────────────┘ │
│ • parameters       │    │               │                     │
│ • variables        │    │               │ ┌─────────────────┐ │
│ • resources        │    │               │ │Tenant Level     │ │
│ • outputs          │    │               │ │├─ Global policy │ │
│ • functions        │    │               │ │└─ Billing setup │ │
└─────────────────────┘    │               │ └─────────────────┘ │
                           │               └─────────────────────┘
                           ▼
🚀 DEPLOYMENT ORCHESTRATION                  🔧 ADVANCED FEATURES
┌─────────────────────┐                    ┌─────────────────────┐
│ Azure Resource Mgr: │                    │ Template Specs:     │
│ ┌─────────────────┐ │                    │ ┌─────────────────┐ │
│ │Resource Graph   │ │                    │ │Version control  │ │
│ │├─ Dependency    │ │                    │ │├─ Semantic ver. │ │
│ │   resolution    │ │                    │ │├─ Access control│ │
│ │├─ Parallel      │ │                    │ │└─ Centralized   │ │
│ │   deployment    │ │                    │ │   management    │ │
│ │└─ Rollback      │ │                    │ └─────────────────┘ │
│ │   capability    │ │                    │                     │
│ └─────────────────┘ │                    │ Linked Templates:   │
│                     │                    │ ┌─────────────────┐ │
│ Deployment Modes:   │                    │ │Modular design   │ │
│ ┌─────────────────┐ │                    │ │├─ Nested temps  │ │
│ │Incremental      │ │                    │ │├─ External refs │ │
│ │├─ Add/Update    │ │                    │ │├─ Parameter     │ │
│ │└─ Preserves     │ │                    │ ││   passing      │ │
│ │   existing      │ │                    │ │└─ Output chaining││
│ └─────────────────┘ │                    │ └─────────────────┘ │
│                     │                    │                     │
│ ┌─────────────────┐ │                    │ What-If Analysis:   │
│ │Complete         │ │                    │ ┌─────────────────┐ │
│ │├─ Replace all   │ │                    │ │Preview changes  │ │
│ │├─ Delete unused │ │                    │ │├─ Resource diffs│ │
│ │└─ Full state    │ │                    │ │├─ Cost estimate │ │
│ │   management    │ │                    │ │└─ Risk analysis │ │
│ └─────────────────┘ │                    │ └─────────────────┘ │
└─────────────────────┘                    └─────────────────────┘

📊 TEMPLATE MANAGEMENT & GOVERNANCE
┌─────────────────────────────────────────────────────────────────┐
│ DevOps Integration:   │ Testing & Validation: │ Deployment Tools: │
│ • GitHub Actions      │ • ARM-TTK toolkit     │ • Azure CLI       │
│ • Azure DevOps       │ • Bicep linting       │ • PowerShell      │
│ • CI/CD pipelines    │ • Unit testing        │ • REST API        │
├─────────────────────────────────────────────────────────────────┤
│ Best Practices:       │ Security Features:    │ Monitoring:       │
│ • Parameterization   │ • Key Vault secrets   │ • Deployment logs │
│ • Idempotency        │ • Managed Identity    │ • Activity logs   │
│ • Resource naming    │ • RBAC integration    │ • Resource health │
└─────────────────────────────────────────────────────────────────┘

Template Deployment States:
──────────────────────────
🟡 Validating:   Syntax and dependency validation in progress
🔵 Accepted:     Template queued for deployment execution
🟢 Running:      Resources being created/updated in parallel
✅ Succeeded:    All resources deployed successfully
❌ Failed:       Deployment stopped due to errors (rollback available)
⏸️ Canceled:     User or system canceled the deployment

Study this concept interactively in the AZ-104 app →

Modify ARM Templates

Explanation

**Explanation**: Process of editing existing ARM templates to add new resources, modify parameters, update resource configurations, or change dependencies. Includes understanding template structure, syntax, and best practices for maintainable templates.

Examples

**Examples**: Adding storage accounts to VM templates, updating VM sizes through parameters, adding tags to all resources, modifying network security group rules, changing location parameters, updating API versions for resources.

Enterprise Use Case

**Use Case**: DevOps teams modify templates when business requirements change, need to support new regions, add compliance requirements, optimize costs by changing resource sizes, or integrate with new Azure services.

Diagram

**Visual**: 
🎨 ARM Template Modification Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🔧 TEMPLATE MODIFICATION                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📁 ORIGINAL        │    │        ✏️ MODIFIED TEMPLATE         │
│                     │───►│                                     │
│ "parameters": {     │    │  "parameters": {                    │
│   "vmSize": {       │    │    "vmSize": {                      │
│     "defaultValue": │    │      "defaultValue": "Standard_B4ms"│
│     "Standard_B2s"  │    │      "allowedValues": [             │
│   }                 │    │        "Standard_B2s",              │
│ },                  │    │        "Standard_B4ms",             │
│ "resources": [      │    │        "Standard_D4s_v3"            │
│   {                 │    │      ]                              │
│     "type": "VM",   │    │    }                                │
│     "properties": { │    │  },                                 │
│       "hardwareProfile│    │  "resources": [                     │
│       ": {          │    │    {                                │
│         "vmSize":   │    │      "type": "VM",                  │
│         "Standard_B2s"│    │      "properties": {                │
│       }             │    │        "hardwareProfile": {         │
│     }               │    │          "vmSize": "[parameters     │
│   }                 │    │                     ('vmSize')]"    │
│ ]                   │    │        }                            │
└─────────────────────┘    │      }                              │
                           │    ]                                │
                           └─────────────────────────────────────┘

Modification Types:
─────────────────────
• Add Parameters    - Make templates configurable
• Update Resources  - Change properties & settings  
• Add Dependencies  - Control deployment order
• Include Outputs   - Return deployment information
• Add Conditions    - Deploy resources conditionally

Study this concept interactively in the AZ-104 app →

Deploy ARM Template Resources

Explanation

**Explanation**: Process of executing ARM templates to create Azure resources. Includes validation, dependency resolution, parallel deployment, and rollback capabilities. Azure Resource Manager orchestrates the deployment based on template definitions.

Examples

**Examples**: Deploying via Azure Portal, using Azure CLI (az deployment group create), PowerShell (New-AzResourceGroupDeployment), REST APIs, CI/CD pipelines, Azure DevOps, GitHub Actions.

Enterprise Use Case

**Use Case**: Operations teams deploy templates for environment provisioning, disaster recovery scenarios, scaling applications, implementing infrastructure changes, and automating resource lifecycle management.

Diagram

**Visual**: 
🎨 ARM Template Deployment Methods:

┌─────────────────────────────────────────────────────────────────┐
│                    🚀 DEPLOYMENT CHANNELS                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🖥️ AZURE PORTAL     │    │         💻 COMMAND LINE            │
│                     │    │                                     │
│ Custom deployment   │    │  Azure CLI:                         │
│ ┌─────────────────┐ │    │  az deployment group create \       │
│ │Upload template  │ │    │    --resource-group myRG \          │
│ │Set parameters   │ │    │    --template-file template.json \  │
│ │Review & deploy  │ │    │    --parameters @parameters.json    │
│ └─────────────────┘ │    │                                     │
│                     │    │  PowerShell:                        │
└─────────────────────┘    │  New-AzResourceGroupDeployment \    │
                           │    -ResourceGroupName "myRG" \      │
┌─────────────────────┐    │    -TemplateFile "template.json"    │
│  🔄 CI/CD PIPELINES  │    └─────────────────────────────────────┘
│                     │    
│ Azure DevOps        │    ┌─────────────────────────────────────┐
│ GitHub Actions      │    │        📊 DEPLOYMENT PROCESS       │
│ Jenkins             │───►│                                     │
│                     │    │  1️⃣ Template Validation             │
└─────────────────────┘    │  2️⃣ Dependency Analysis             │
                           │  3️⃣ Resource Provisioning          │
                           │  4️⃣ Configuration Application       │
                           │  5️⃣ Status Reporting               │
                           └─────────────────────────────────────┘

Deployment Benefits:
──────────────────────
✅ Consistent         - Same resources every time
⚡ Fast               - Parallel resource creation  
🔒 Secure             - Role-based access control
📝 Auditable          - Complete deployment logs
🔄 Repeatable         - Deploy to multiple environments

Study this concept interactively in the AZ-104 app →

Export & Convert ARM Deployments

Explanation

**Explanation**: Capability to export existing Azure resources as ARM templates and convert between different infrastructure-as-code formats. Includes exporting resource groups, converting ARM to Bicep, and generating templates from existing deployments.

Examples

**Examples**: Exporting production environments for replication, converting legacy ARM templates to Bicep, generating templates from manually created resources, creating backup templates, migrating between Azure subscriptions.

Enterprise Use Case

**Use Case**: Organizations use export/convert features to standardize existing infrastructure, migrate to modern IaC practices, create disaster recovery templates, and transition from manual to automated deployments.

Diagram

**Visual**: 
🎨 ARM Export & Conversion Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 EXPORT & CONVERSION                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🏢 EXISTING AZURE   │    │         📄 GENERATED TEMPLATES     │
│                     │───►│                                     │
│ Resource Group:     │    │  ARM Template (JSON):               │
│ ├─ 🖥️ Virtual Machine │    │  {                                   │
│ ├─ 💾 Storage Account│    │    "$schema": "...",                 │
│ ├─ 🌐 Virtual Network │    │    "resources": [                    │
│ ├─ 🔒 NSG            │    │      { "type": "Microsoft.Compute/  │
│ └─ 📍 Public IP      │    │         virtualMachines" },          │
│                     │    │      { "type": "Microsoft.Storage/  │
└─────────────────────┘    │         storageAccounts" }           │
                           │    ]                                │
┌─────────────────────┐    │  }                                  │
│  🛠️ CONVERSION TOOLS │    │                                     │
│                     │    │  Bicep Template:                    │
│ • Portal Export     │───►│  resource vm 'Microsoft.Compute/    │
│ • Azure CLI         │    │           virtualMachines@2021-11-01'│
│ • PowerShell        │    │  resource storage 'Microsoft.Storage│
│ • ARM Tools         │    │           /storageAccounts@2021-09-01'│
│ • Bicep CLI         │    └─────────────────────────────────────┘
└─────────────────────┘    

Export Methods:
─────────────────
🏗️ Resource Group  - Export entire RG as template
🎯 Specific Resource - Export single resource template  
📊 Deployment History - Template from past deployment
🔄 Automation Script - Generate PowerShell/CLI scripts
💎 Bicep Conversion - ARM JSON to Bicep format

Use Cases:
────────────
• Environment Replication  • Infrastructure Standardization
• Disaster Recovery Setup  • Migration Between Subscriptions  
• Documentation Creation   • Template Library Building

Study this concept interactively in the AZ-104 app →

Create VMs via Azure Portal

Explanation

**Explanation**: Web-based graphical interface for creating and managing Azure Virtual Machines. Provides step-by-step wizards, visual configuration options, and integrated resource management for VM deployment and administration.

Examples

**Examples**: Creating Windows/Linux VMs through portal wizard, configuring VM settings via GUI, managing VM resources visually, using portal for one-time deployments, educational purposes, and quick prototyping.

Enterprise Use Case

**Use Case**: IT administrators use portal for ad-hoc VM creation, learning Azure concepts, troubleshooting individual VMs, demonstration purposes, and when GUI-based management is preferred over command-line tools.

Diagram

**Visual**: 
🎨 Azure Portal VM Creation Wizard:

┌─────────────────────────────────────────────────────────────────┐
│                    🖥️ AZURE PORTAL VM WIZARD                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  📋 BASICS TAB      │    │         ⚙️ CONFIGURATION TABS      │
│                     │───►│                                     │
│ Subscription: [▼]   │    │  💽 Disks:                         │
│ Resource Group: [▼] │    │  ┌─────────────────────────────────┐│
│ VM Name: [_______]  │    │  │OS Disk: Premium SSD             ││
│ Region: East US [▼] │    │  │Data Disks: + Add disk           ││
│ Image: Ubuntu [▼]   │    │  └─────────────────────────────────┘│
│ Size: B2s [Change]  │    │                                     │
│ Username: [_______] │    │  🌐 Networking:                     │
│ SSH Key: [Browse]   │    │  Virtual Network: [Create new] [▼] │
└─────────────────────┘    │  Subnet: default [▼]               │
                           │  Public IP: [Create new] [▼]       │
┌─────────────────────┐    │                                     │
│  🔒 SECURITY TAB    │    │  🛡️ Management:                     │
│                     │───►│  Boot Diagnostics: ☑ Enable       │
│ Boot diagnostics    │    │  Monitoring: ☑ Enable insights     │
│ OS guest diagnostics│    │  Auto-shutdown: ☐ Enable          │
│ System managed      │    │  Backup: ☐ Enable                 │
│ identity            │    └─────────────────────────────────────┘
└─────────────────────┘    

Portal Benefits:
────────────────
🖱️ Point & Click   - No command syntax required
👀 Visual Feedback - See configuration in real-time  
🎯 Guided Process  - Step-by-step wizard
📊 Resource Overview - View all related resources
🔍 Integrated Help - Contextual assistance available

Study this concept interactively in the AZ-104 app →

Create VMs via Azure CLI

Explanation

**Explanation**: Command-line interface tool for creating and managing Azure Virtual Machines using scripted commands. Enables automation, batch operations, and integration with DevOps pipelines for VM lifecycle management.

Examples

**Examples**: Creating VMs with az vm create command, automating VM deployments in scripts, batch creating multiple VMs, integrating VM creation in CI/CD pipelines, using Azure Cloud Shell for VM management.

Enterprise Use Case

**Use Case**: DevOps engineers use CLI for automated VM provisioning, scripted infrastructure deployment, integration with configuration management tools, and when command-line efficiency is preferred.

Diagram

**Visual**: 
🎨 Azure CLI VM Creation Commands:

┌─────────────────────────────────────────────────────────────────┐
│                    💻 AZURE CLI VM COMMANDS                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  📝 BASIC VM CREATE │    │        🔧 ADVANCED OPTIONS         │
│                     │───►│                                     │
│ az vm create \      │    │  az vm create \                     │
│   --resource-group \ │    │    --resource-group myRG \          │
│     myResourceGroup \│    │    --name myVM \                    │
│   --name myVM \     │    │    --image UbuntuLTS \              │
│   --image Ubuntu2204│    │    --size Standard_B2s \            │
│   --admin-username \ │    │    --vnet-name myVnet \             │
│     azureuser       │    │    --subnet mySubnet \              │
│                     │    │    --public-ip-address-dns-name \  │
└─────────────────────┘    │      myuniquedomainname \          │
                           │    --storage-sku Premium_LRS \     │
┌─────────────────────┐    │    --os-disk-size-gb 128 \         │
│  🗂️ BATCH CREATION  │    │    --data-disk-sizes-gb 64 128 \   │
│                     │───►│    --custom-data cloud-init.txt    │
│ # Create 5 VMs      │    └─────────────────────────────────────┘
│ for i in {1..5}; do │    
│   az vm create \    │    ┌─────────────────────────────────────┐
│     --name "vm$i" \ │    │         📊 COMMAND OUTPUT          │
│     --resource-group\│───►│                                     │
│       myRG          │    │  {                                  │
│ done                │    │    "fqdns": "",                     │
└─────────────────────┘    │    "id": "/subscriptions/.../vm1",  │
                           │    "location": "eastus",            │
                           │    "macAddress": "00-0D-3A-...",    │
                           │    "powerState": "VM running",      │
                           │    "privateIpAddress": "10.0.0.4",  │
                           │    "publicIpAddress": "13.82.42.1", │
                           │    "resourceGroup": "myRG"          │
                           │  }                                  │
                           └─────────────────────────────────────┘

CLI Benefits:
────────────────
⚡ Fast Execution  - Single command deployment
🔄 Scriptable     - Easily automated and repeated  
📝 Version Control - Commands stored in scripts
🔗 Pipeline Ready  - CI/CD integration friendly
💻 Cross-Platform  - Works on Windows/Linux/macOS

Study this concept interactively in the AZ-104 app →

Create VMs via PowerShell

Explanation

**Explanation**: PowerShell cmdlets for creating and managing Azure Virtual Machines using object-oriented scripting. Provides rich scripting capabilities, error handling, and integration with Windows-based management workflows.

Examples

**Examples**: Using New-AzVM cmdlet, creating VMs with PowerShell scripts, automating Windows VM deployments, integrating with Active Directory, using PowerShell ISE for development.

Enterprise Use Case

**Use Case**: Windows administrators use PowerShell for VM automation, enterprise scripting scenarios, integration with existing PowerShell workflows, and when object-oriented scripting is preferred.

Diagram

**Visual**: 
🎨 Azure PowerShell VM Creation:

┌─────────────────────────────────────────────────────────────────┐
│                   ⚡ POWERSHELL VM CREATION                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  📋 BASIC CMDLET    │    │         🔧 ADVANCED SCRIPT         │
│                     │───►│                                     │
│ New-AzVM \          │    │  # VM Configuration Object          │
│   -ResourceGroupName│    │  $vmConfig = New-AzVMConfig \       │
│     "myRG" \        │    │    -VMName "myVM" \                 │
│   -Name "myVM" \    │    │    -VMSize "Standard_B2s"           │
│   -Image            │    │                                     │
│     "UbuntuLTS" \   │    │  # Operating System                 │
│   -Credential       │    │  $vmConfig = Set-AzVMOperatingSystem│
│     $cred           │    │    -VM $vmConfig \                  │
│                     │    │    -Linux \                         │
└─────────────────────┘    │    -ComputerName "myVM" \           │
                           │    -Credential $cred                │
┌─────────────────────┐    │                                     │
│  🔐 CREDENTIALS     │    │  # Network Interface                │
│                     │───►│  $vmConfig = Add-AzVMNetworkInterface│
│ $cred = Get-        │    │    -VM $vmConfig \                  │
│   Credential        │    │    -Id $nic.Id                      │
│                     │    │                                     │
│ Username: azureuser │    │  # Create VM                        │
│ Password: ********  │    │  New-AzVM \                         │
└─────────────────────┘    │    -ResourceGroupName "myRG" \      │
                           │    -Location "East US" \            │
                           │    -VM $vmConfig                    │
                           └─────────────────────────────────────┘

PowerShell Benefits:
──────────────────────
🧠 Object-Oriented - Rich object manipulation
🔍 Error Handling  - Try-catch-finally blocks  
📊 Pipeline Power  - Chain cmdlets together
🔗 Windows Native  - Deep Windows integration
📝 ISE Support     - Integrated scripting environment

Study this concept interactively in the AZ-104 app →

VM Sizes and Generations

Explanation

**Explanation**: Azure VM sizes determine the amount of compute resources (CPU, memory, disk) allocated to virtual machines. Generations indicate the underlying hardware platform version with newer generations offering better performance and features.

Examples

**Examples**: B-series for burstable workloads, D-series for general purpose, F-series for compute-intensive, M-series for memory-intensive, choosing appropriate sizes for different application requirements.

Enterprise Use Case

**Use Case**: Organizations select VM sizes based on workload requirements, cost optimization needs, performance demands, and compliance requirements for CPU/memory specifications.

Diagram

**Visual**: 
🎨 Azure VM Size Categories:

┌─────────────────────────────────────────────────────────────────┐
│                    💻 VM SIZE FAMILIES                         │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📊 GENERAL PURPOSE │    │        🎯 SPECIALIZED SIZES        │
│                     │───►│                                     │
│ B-series (Burstable)│    │  F-series (Compute optimized):     │
│ • B1s: 1 vCPU, 1GB  │    │  • F2s_v2: 2 vCPU, 4GB RAM        │
│ • B2s: 2 vCPU, 4GB  │    │  • F4s_v2: 4 vCPU, 8GB RAM        │
│                     │    │                                     │
│ D-series (Balanced) │    │  M-series (Memory optimized):      │
│ • D2s_v3: 2 vCPU,8GB│    │  • M8ms: 8 vCPU, 218GB RAM        │
│ • D4s_v3: 4 vCPU,16GB│    │  • M16ms: 16 vCPU, 437GB RAM      │
└─────────────────────┘    └─────────────────────────────────────┘

Sizing Considerations:
────────────────────────
🔄 Workload Type     - CPU vs Memory intensive
💰 Cost Optimization - Balance performance vs price
📈 Scaling Needs     - Future growth requirements
🌍 Regional Availability - Size availability by region
⚡ Performance Tier   - Standard vs Premium storage

Study this concept interactively in the AZ-104 app →

VM Connectivity Options

Explanation

**Explanation**: Methods for connecting to Azure Virtual Machines including SSH for Linux, RDP for Windows, and Azure Bastion for secure browser-based access. Each method provides different security and accessibility features.

Examples

**Examples**: SSH key-based authentication for Linux VMs, RDP connections to Windows VMs, Azure Bastion for secure access without public IPs, just-in-time access for enhanced security.

Enterprise Use Case

**Use Case**: IT teams use different connectivity options based on security requirements, operating system type, network configuration, and administrative access patterns.

Diagram

**Visual**: 
🎨 VM Connectivity Methods:

┌─────────────────────────────────────────────────────────────────┐
│                    🔗 CONNECTION METHODS                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🐧 LINUX (SSH)     │    │        🪟 WINDOWS (RDP)            │
│                     │───►│                                     │
│ ssh user@vm-ip      │    │  mstsc /v:vm-ip                    │
│ Port: 22            │    │  Port: 3389                        │
│ Key-based auth      │    │  Username/Password                 │
│                     │    │                                     │
│ Terminal access     │    │  Full desktop GUI                 │
│ Command line        │    │  Windows applications              │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🛡️ AZURE BASTION   │    │        ⚡ JUST-IN-TIME ACCESS      │
│                     │───►│                                     │
│ Browser-based       │    │  Temporary access                  │
│ No public IP needed │    │  Time-limited                      │
│ Azure Portal        │    │  On-demand approval                │
│ HTML5 client        │    │  Enhanced security                 │
└─────────────────────┘    └─────────────────────────────────────┘

Security Best Practices:
──────────────────────────
🔐 SSH Keys          - More secure than passwords
🛡️ Network Security   - NSG rules and firewalls
🎯 Just-in-Time      - Minimize exposure window
📍 Bastion Hosts     - Eliminate public IP requirements

Study this concept interactively in the AZ-104 app →

SSH Connection to Azure VMs

Explanation

**Explanation**: Secure Shell (SSH) protocol for secure remote access to Linux Azure VMs. Uses public/private key authentication for enhanced security and provides command-line access to the VM operating system.

Examples

**Examples**: Generating SSH key pairs, connecting via ssh command, using PuTTY on Windows, configuring SSH keys in VM creation, troubleshooting connection issues.

Enterprise Use Case

**Use Case**: System administrators use SSH for secure Linux VM management, automated script execution, file transfers, log analysis, and remote system administration.

Diagram

**Visual**: 
🎨 SSH Connection Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🔐 SSH AUTHENTICATION                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  💻 CLIENT MACHINE  │    │        🔎 AZURE LINUX VM          │
│                     │───►│                                     │
│ 🔑 Private Key      │    │  🔓 Public Key (authorized_keys)  │
│ ~/.ssh/id_rsa       │    │  ~/.ssh/authorized_keys           │
│                     │    │                                     │
│ Connection Command: │    │  SSH Daemon (sshd)                │
│ ssh -i ~/.ssh/id_rsa│    │  Port 22 (default)                │
│   user@vm-ip        │    │  Public IP: 20.1.2.3              │
└─────────────────────┘    └─────────────────────────────────────┘

SSH Commands:
─────────────
# Generate key pair
ssh-keygen -t rsa -b 4096

# Connect to VM
ssh azureuser@vm-ip

# Connect with specific key
ssh -i ~/.ssh/mykey azureuser@vm-ip

# Copy files (SCP)
scp file.txt azureuser@vm-ip:/home/azureuser/

Study this concept interactively in the AZ-104 app →

RDP Connection to Azure VMs

Explanation

**Explanation**: Remote Desktop Protocol (RDP) for graphical remote access to Windows Azure VMs. Provides full desktop interface access with keyboard, mouse, audio, and clipboard support over encrypted connections.

Examples

**Examples**: Using mstsc.exe on Windows, Remote Desktop apps on mobile devices, configuring RDP settings in VM creation, setting up Network Level Authentication.

Enterprise Use Case

**Use Case**: Windows administrators use RDP for GUI-based VM management, running Windows applications remotely, desktop virtualization, and when graphical interface is required.

Diagram

**Visual**: 
🎨 RDP Connection Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🖥️ RDP SESSION                           │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💻 LOCAL DESKTOP  │    │      🪟 AZURE WINDOWS VM        │
│                     │───►│                                     │
│ RDP Client:         │    │  Remote Desktop Services            │
│ • mstsc.exe         │    │  Port 3389 (default)               │
│ • Remote Desktop App│    │                                     │
│ • Web client        │    │  Authentication:                   │
│                     │    │  • Username/Password              │
│ Features:           │    │  • Network Level Auth            │
│ • Full desktop      │    │  • Smart card                    │
│ • Audio redirection │    │                                     │
│ • Clipboard sharing │    │  Public IP: 20.1.2.4               │
│ • File transfer     │    │  VM Size: Standard_D2s_v3           │
└─────────────────────┘    └─────────────────────────────────────┘

Connection Methods:
────────────────────
# Windows Remote Desktop Connection
mstsc /v:vm-ip-address

# With saved .rdp file
mstsc /f MyVM.rdp

# Specify credentials
mstsc /v:vm-ip /u:username

Study this concept interactively in the AZ-104 app →

Azure Bastion

Explanation

**Explanation**: Fully managed platform-as-a-service (PaaS) that provides secure RDP and SSH access to VMs directly through the Azure Portal using SSL. Eliminates need for public IP addresses on VMs and provides secure connectivity without exposing VMs to the public internet.

Examples

**Examples**: Creating Bastion host in VNet, connecting to VMs via portal browser, configuring Bastion subnet, scaling Bastion for multiple concurrent sessions, integrating with NSG rules.

Enterprise Use Case

**Use Case**: Security-conscious organizations use Bastion for secure VM access without exposing public IPs, meeting compliance requirements, centralizing access control, and providing secure remote work capabilities.

Diagram

**Visual**: 
🎨 Azure Bastion Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🏰 AZURE BASTION SECURITY                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🌐 INTERNET USER   │    │         🔒 AZURE VIRTUAL NETWORK   │
│                     │───►│                                     │
│ Web Browser         │    │  ┌─────────────────────────────────┐│
│ (HTTPS/SSL)         │    │  │     🏰 Azure Bastion           ││
│                     │    │  │   AzureBastionSubnet           ││
│ No VPN needed       │    │  │   (Dedicated subnet)           ││
│ No public IP on VM  │    │  └─────────────────────────────────┘│
│ No NSG rules        │    │                │                   │
└─────────────────────┘    │                ▼                   │
                           │  ┌─────────────────────────────────┐│
                           │  │     💻 PRIVATE VMs             ││
                           │  │                                 ││
                           │  │  🐧 Linux VM    🪟 Windows VM   ││
                           │  │  (SSH)          (RDP)           ││
                           │  │  No public IP   No public IP    ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Bastion Benefits:
────────────────────
🛡️ No Public IPs    - VMs stay private
🔐 SSL Encryption   - Secure browser connection
📱 Any Device       - Works on mobile/tablet
🎯 Just-in-Time     - Integrates with JIT access
📊 Audit Logs       - Complete access tracking

Study this concept interactively in the AZ-104 app →

Azure Disk Encryption

Explanation

**Explanation**: Azure service that encrypts VM disks using BitLocker (Windows) or dm-crypt (Linux) with keys managed by Azure Key Vault. Provides encryption-at-rest for OS and data disks with minimal performance impact.

Examples

**Examples**: Enabling ADE on new VMs, encrypting existing VM disks, using customer-managed keys, configuring Key Vault permissions, monitoring encryption status.

Enterprise Use Case

**Use Case**: Enterprises use disk encryption for compliance requirements, protecting sensitive data at rest, meeting regulatory standards, and securing VMs in shared infrastructure environments.

Diagram

**Visual**: 
🎨 Azure Disk Encryption Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🔐 DISK ENCRYPTION FLOW                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🗝️ AZURE KEY VAULT │    │           💻 AZURE VM              │
│                     │───►│                                     │
│ Encryption Keys:    │    │  ┌─────────────────────────────────┐│
│ • BitLocker Key     │    │  │      💽 OS DISK (Encrypted)    ││
│ • dm-crypt Key      │    │  │                                 ││
│                     │    │  │   🔒 AES-256 Encryption        ││
│ Key Management:     │    │  │   📊 Volume Shadow Copy         ││
│ • Automatic rotation│    │  │   ⚡ Minimal performance impact ││
│ • Access policies   │    │  └─────────────────────────────────┘│
│ • Audit logging     │    │                                     │
└─────────────────────┘    │  ┌─────────────────────────────────┐│
                           │  │    💿 DATA DISKS (Encrypted)    ││
                           │  │                                 ││
                           │  │   🔐 Individual disk encryption ││
                           │  │   📈 Scalable to multiple disks││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Encryption Features:
──────────────────────
🔒 At-Rest Protection - Data encrypted on disk
🗝️ Key Vault Integration - Centralized key management
🔄 Automatic Rotation - Keys rotated periodically
📊 Compliance Ready - Meets regulatory requirements
⚡ Transparent Operation - No application changes needed

Study this concept interactively in the AZ-104 app →

Move Virtual Machines

Explanation

**Explanation**: Process of moving Azure VMs between resource groups, subscriptions, or regions. Includes considerations for dependencies, downtime, network configurations, and associated resources like disks and NICs.

Examples

**Examples**: Moving VM to different resource group, cross-subscription migrations, region-to-region moves for disaster recovery, consolidating resources for better organization.

Enterprise Use Case

**Use Case**: Organizations move VMs for cost optimization, resource consolidation, compliance requirements, disaster recovery setup, or reorganizing Azure resource structure.

Diagram

**Visual**: 
🎨 VM Move Operations:

┌─────────────────────────────────────────────────────────────────┐
│                    🚚 VM MIGRATION TYPES                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  📁 RESOURCE GROUP │    │       📋 SUBSCRIPTION MOVE       │
│                     │───►│                                     │
│ Same subscription   │    │  Different subscription              │
│ Minimal downtime    │    │  More complex process                │
│ Quick operation     │    │                                     │
│                     │    │  Considerations:                     │
│ az resource move  │    │  • Billing transfer               │
│   --ids $vmId     │    │  • RBAC permissions              │
│   --destination  │    │  • Resource limits               │
│   resourcegroup    │    │  • Network dependencies          │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🌍 REGION MOVE   │    │       ⚠️ MOVE LIMITATIONS        │
│                     │───►│                                     │
│ Complex migration   │    │  Cannot move if:                     │
│ VM must be stopped  │    │  • VM has managed disks with       │
│ Recreate networking │    │    encryption enabled                │
│                     │    │  • VM is in availability set      │
│ Steps:              │    │  • VM has marketplace plan         │
│ 1️⃣ Stop VM           │    │  • Active backup policies          │
│ 2️⃣ Export VHD        │    │  • Key Vault dependencies          │
│ 3️⃣ Recreate in region│    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

Move Checklist:
─────────────────
✅ Validate dependencies  - Check associated resources
✅ Verify permissions     - Ensure proper RBAC
✅ Plan downtime window   - Schedule maintenance
✅ Test after move       - Verify functionality

Study this concept interactively in the AZ-104 app →

Manage VM Sizes

Explanation

**Explanation**: Process of changing Azure VM sizes to scale up/down compute resources based on workload requirements. Includes understanding size families, planning for downtime, and cost implications.

Examples

**Examples**: Upgrading from B2s to D4s_v3 for more performance, downgrading to reduce costs, changing between VM families for different workload types.

Enterprise Use Case

**Use Case**: Organizations resize VMs for cost optimization, performance tuning, handling seasonal workload changes, or migrating to newer VM generations.

Diagram

**Visual**: 
🎨 VM Resize Process:

┌─────────────────────────────────────────────────────────────────┐
│                    📈 VM SIZE SCALING                        │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📉 SCALE DOWN    │    │         📈 SCALE UP             │
│                     │───►│                                     │
│ D4s_v3 → D2s_v3      │    │  D2s_v3 → D4s_v3                    │
│ 4 vCPU → 2 vCPU      │    │  2 vCPU → 4 vCPU                    │
│ 16GB → 8GB RAM      │    │  8GB → 16GB RAM                    │
│                     │    │                                     │
│ Benefits:           │    │  Benefits:                           │
│ • Reduced costs      │    │  • Better performance             │
│ • Right-sizing      │    │  • Handle more load               │
└─────────────────────┘    └─────────────────────────────────────┘

Resize Commands:
────────────────
# Azure CLI
az vm resize --resource-group myRG   --name myVM --size Standard_D4s_v3

# PowerShell
$vm = Get-AzVM -ResourceGroupName "myRG" -VMName "myVM"
$vm.HardwareProfile.VmSize = "Standard_D4s_v3"
Update-AzVM -VM $vm -ResourceGroupName "myRG"

Study this concept interactively in the AZ-104 app →

VM Scale Sets (VMSS)

Explanation

**Explanation**: Azure service that creates and manages identical VMs for automatic scaling based on demand. Provides high availability, auto-scaling, and load distribution across multiple VM instances.

Examples

**Examples**: Web server farms that scale with traffic, batch processing workloads, microservices deployments, high-availability applications requiring multiple identical instances.

Enterprise Use Case

**Use Case**: Organizations use VMSS for applications that need automatic scaling, load distribution, and high availability without manual VM management.

Diagram

**Visual**: 
🎨 VM Scale Sets Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    📈 AUTO-SCALING VMSS                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🔄 LOW DEMAND      │    │        📈 HIGH DEMAND            │
│                     │───►│                                     │
│ Scale Set:          │    │  Scale Set:                        │
│ [💻] VM-1 (active)   │    │  [💻] VM-1 (active)             │
│ [⏸️] VM-2 (stopped)  │    │  [💻] VM-2 (active)             │
│ [⏸️] VM-3 (stopped)  │    │  [💻] VM-3 (active)             │
│                     │    │  [💻] VM-4 (auto-created)       │
│ Load: 20%           │    │  [💻] VM-5 (auto-created)       │
│ Cost: $50/month     │    │                                     │
└─────────────────────┘    │  Load: 85%                         │
                           │  Cost: $250/month                  │
                           └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    ⚙️ AUTO-SCALING RULES                     │
└─────────────────────────────────────────────────────────────────┘

Scale Out: CPU > 70% for 5 minutes → Add 1 instance
Scale In:  CPU < 30% for 10 minutes → Remove 1 instance
Min Instances: 2 | Max Instances: 10

VMSS Benefits:
────────────────
⚡ Auto-scaling   - Responds to demand automatically
💰 Cost Effective - Pay only for what you use
🎯 High Available - Distributed across fault domains
🔄 Self-healing   - Replaces unhealthy instances

Study this concept interactively in the AZ-104 app →

Autoscaling Policies

Explanation

**Explanation**: Rules that automatically adjust VM Scale Set instance count based on metrics like CPU usage, memory consumption, or custom metrics. Enables cost optimization and performance management.

Examples

**Examples**: Scale out when CPU > 70%, scale in when CPU < 30%, schedule-based scaling for known traffic patterns, scaling based on queue length or custom application metrics.

Enterprise Use Case

**Use Case**: Applications with variable load patterns use autoscaling for cost optimization, performance consistency, and automated capacity management.

Diagram

**Visual**: 
🎨 Autoscaling Policy Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                    📈 SCALING TRIGGERS                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  📈 SCALE OUT RULE │    │       📉 SCALE IN RULE           │
│                     │───►│                                     │
│ Metric: CPU         │    │  Metric: CPU                       │
│ Threshold: > 70%    │    │  Threshold: < 30%                  │
│ Duration: 5 min     │    │  Duration: 10 min                  │
│ Action: +1 instance │    │  Action: -1 instance               │
│ Cooldown: 5 min     │    │  Cooldown: 15 min                  │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────┐    ┌─────────────────────────────────────┐
│ 🕰️ SCHEDULE BASED  │    │      📆 PREDICTIVE SCALING      │
│                     │───►│                                     │
│ Business Hours:     │    │  Machine Learning based:           │
│ 8 AM - 6 PM = 5 VMs │    │  • Analyzes historical patterns   │
│ 6 PM - 8 AM = 2 VMs │    │  • Predicts traffic spikes        │
│                     │    │  • Pre-scales before demand       │
│ Weekend: 2 VMs      │    │  • Reduces reaction time          │
└─────────────────────┘    └─────────────────────────────────────┘

Scaling Metrics:
────────────────────
📊 CPU Percentage  - Most common trigger
📀 Memory Usage    - RAM utilization
🔌 Network I/O     - Data transfer rates
💾 Disk I/O       - Storage operations
🎯 Custom Metrics  - Application-specific data

Study this concept interactively in the AZ-104 app →

Azure Kubernetes Service (AKS)

Explanation

**Explanation**: Managed Kubernetes service that simplifies deployment, management, and operations of Kubernetes clusters. Provides automated patching, scaling, monitoring, and integrates with Azure services like Azure Active Directory and Azure Monitor.

Examples

**Examples**: Microservices deployments, containerized application hosting, CI/CD pipeline integration, multi-environment application deployments, hybrid cloud applications.

Enterprise Use Case

**Use Case**: Organizations use AKS for container orchestration at scale, DevOps workflows, microservices architecture, and when they need Kubernetes without infrastructure management overhead.

Diagram

**Visual**: 
🎨 Azure Kubernetes Service Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    ☸️ AKS CLUSTER OVERVIEW                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🏛️ CONTROL PLANE   │    │           🚢 WORKER NODES           │
│                     │───►│                                     │
│ (Managed by Azure)  │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │Node 1: Standard_D4s_v3         ││
│ │API Server       │ │    │  │├─ 📦 Pod 1 (nginx)             ││
│ │etcd Database    │ │    │  │├─ 📦 Pod 2 (api-service)       ││
│ │Controller Mgr   │ │    │  │└─ 📦 Pod 3 (database)          ││
│ │Scheduler        │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  ┌─────────────────────────────────┐│
│ Free (Microsoft)    │    │  │Node 2: Standard_D4s_v3         ││
└─────────────────────┘    │  │├─ 📦 Pod 4 (frontend)          ││
                           │  │├─ 📦 Pod 5 (cache)             ││
                           │  │└─ 📦 Pod 6 (worker)            ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🔧 AKS MANAGEMENT FEATURES                  │
└─────────────────────────────────────────────────────────────────┘

🔄 Auto-scaling:     Horizontal Pod Autoscaler + Cluster Autoscaler
🛡️ Security:         RBAC + Network Policies + Azure AD Integration
📊 Monitoring:       Azure Monitor + Container Insights
🚀 CI/CD:           Azure DevOps + GitHub Actions Integration
🌐 Networking:      Azure CNI + Calico + Istio Service Mesh
💾 Storage:         Azure Disks + Azure Files + Persistent Volumes

Study this concept interactively in the AZ-104 app →

Azure Container Registry (ACR)

Explanation

**Explanation**: Private Docker registry service for storing and managing container images. Provides geo-replication, security scanning, automated builds, and integrates with Azure services for secure container deployment.

Examples

**Examples**: Storing custom application images, automated CI/CD builds, multi-region image distribution, vulnerability scanning, webhook integrations with deployment pipelines.

Enterprise Use Case

**Use Case**: Development teams use ACR for secure private container image storage, automated build processes, enterprise-grade image management, and integration with AKS clusters.

Diagram

**Visual**: 
🎨 Azure Container Registry Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                    🏗️ CONTAINER BUILD & DEPLOY                 │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💻 DEVELOPMENT     │    │         📦 AZURE CONTAINER REGISTRY │
│                     │───►│                                     │
│ Source Code         │    │  myregistry.azurecr.io             │
│ ├─ Dockerfile       │    │                                     │
│ ├─ app.py           │    │  ┌─────────────────────────────────┐│
│ ├─ requirements.txt │    │  │Repository: webapp               ││
│ └─ .github/         │    │  │├─ v1.0 (latest)               ││
│                     │    │  │├─ v0.9                        ││
│ az acr build       │    │  │└─ v0.8                        ││
│   --registry myacr │    │  └─────────────────────────────────┘│
│   --image webapp:v1 │    │                                     │
└─────────────────────┘    │  ┌─────────────────────────────────┐│
                           │  │Repository: api-service          ││
┌─────────────────────┐    │  │├─ v2.1 (latest)               ││
│  🔐 SECURITY         │───►│  │├─ v2.0                        ││
│                     │    │  │└─ v1.9                        ││
│ Image Scanning      │    │  └─────────────────────────────────┘│
│ ├─ Vulnerability    │    └─────────────────────────────────────┘
│ │   Detection       │    
│ ├─ Compliance       │    ┌─────────────────────────────────────┐
│ │   Checks          │    │         ☸️ AKS DEPLOYMENT          │
│ └─ Access Control   │───►│                                     │
└─────────────────────┘    │  kubectl create deployment        │
                           │    --image=myacr.azurecr.io/      │
                           │           webapp:v1                │
                           │                                     │
                           │  Pod Status: ✅ Running             │
                           └─────────────────────────────────────┘

ACR Features:
─────────────
🌍 Geo-replication - Global image distribution
🔍 Vulnerability Scan - Security assessment
🤖 Auto-build - CI/CD integration
🔒 RBAC - Role-based access control
📋 Webhooks - Event notifications

Study this concept interactively in the AZ-104 app →

App Service Deployment Slots

Explanation

**Explanation**: Feature that allows multiple versions of an app to run simultaneously in the same App Service plan. Enables blue-green deployments, staging environments, and zero-downtime deployments with traffic routing and slot swapping.

Examples

**Examples**: Staging slot for testing before production, A/B testing with traffic splitting, rollback capabilities, continuous deployment workflows, environment-specific configurations.

Enterprise Use Case

**Use Case**: Development teams use deployment slots for safe deployments, testing in production-like environments, gradual rollouts, and maintaining high availability during updates.

Diagram

**Visual**: 
🎨 App Service Deployment Slots:

┌─────────────────────────────────────────────────────────────────┐
│                    🎭 DEPLOYMENT SLOT WORKFLOW                 │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🎯 PRODUCTION SLOT │    │         🎪 STAGING SLOT            │
│                     │    │                                     │
│ myapp.azurewebsites │◄──┤│ myapp-staging.azurewebsites        │
│      .net           │ S  ││      .net                          │
│                     │ W  ││                                     │
│ Version: 2.1        │ A  ││ Version: 2.2 (Testing)             │
│ Status: ✅ Live     │ P  ││ Status: 🧪 Testing                 │
│ Traffic: 90%        │    ││ Traffic: 10%                       │
│                     │    ││                                     │
│ Configuration:      │    ││ Configuration:                      │
│ ├─ DB: Production   │    ││ ├─ DB: Staging                     │
│ ├─ API: v1.0        │    ││ ├─ API: v1.1                       │
│ └─ SSL: Enabled     │    ││ └─ SSL: Enabled                    │
└─────────────────────┘    │└─────────────────────────────────────┘
                           │
┌─────────────────────┐    │┌─────────────────────────────────────┐
│   🚀 DEPLOYMENT     │    ││        📊 TRAFFIC ROUTING          │
│                     │───►││                                     │
│ 1️⃣ Deploy to staging│    ││ Routes:                             │
│ 2️⃣ Test thoroughly │    ││ ┌─────────────────────────────────┐ │
│ 3️⃣ Swap slots      │    ││ │Production: 90% ████████████▒▒▒▒│ │
│ 4️⃣ Monitor metrics │    ││ │Staging:    10% ██▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒│ │
│ 5️⃣ Rollback if needed│   ││ └─────────────────────────────────┘ │
└─────────────────────┘    │└─────────────────────────────────────┘
                           └─────────────────────────────────────────┘

Slot Benefits:
──────────────
🔄 Zero Downtime - Instant slot swapping
🧪 Safe Testing - Production-like environment
📊 A/B Testing - Traffic percentage routing
⏪ Easy Rollback - Quick revert capability
⚙️ Separate Config - Environment-specific settings

Study this concept interactively in the AZ-104 app →

VM Availability Sets

Explanation

**Explanation**: Logical grouping of VMs that ensures high availability by distributing instances across fault domains and update domains. Protects against hardware failures and planned maintenance by keeping VMs on separate physical hardware.

Examples

**Examples**: Web server clusters, database clusters, application tiers requiring 99.95% SLA, multi-instance deployments for redundancy.

Enterprise Use Case

**Use Case**: Critical applications use availability sets to meet high availability SLAs, ensure business continuity, and protect against datacenter-level failures.

Diagram

**Visual**: 
🎨 VM Availability Set Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🏗️ AVAILABILITY SET LAYOUT                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   ⚡ FAULT DOMAINS  │    │         🔄 UPDATE DOMAINS           │
│                     │───►│                                     │
│ Physical separation │    │  Maintenance isolation              │
│                     │    │                                     │
│ Rack 1: 🖥️ VM1      │    │  Group 1: 🖥️ VM1, VM3, VM5         │
│        🖥️ VM2      │    │  Group 2: 🖥️ VM2, VM4, VM6         │
│                     │    │                                     │
│ Rack 2: 🖥️ VM3      │    │  Maintenance Schedule:              │
│        🖥️ VM4      │    │  • Week 1: Update Group 1          │
│                     │    │  • Week 2: Update Group 2          │
│ Rack 3: 🖥️ VM5      │    │  • Never both simultaneously       │
│        🖥️ VM6      │    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    📊 AVAILABILITY BENEFITS                    │
└─────────────────────────────────────────────────────────────────┘

🎯 SLA: 99.95% uptime (21.9 minutes/month downtime)
🔧 Fault Tolerance: Survives single rack failure
🔄 Maintenance: Zero downtime during Azure updates
💰 Cost: No additional charge for availability sets
⚖️ Load Balancing: Distribute traffic across healthy instances

Configuration:
──────────────
• Max 3 Fault Domains (FD)
• Max 20 Update Domains (UD)  
• Same region and resource group
• All VMs must use managed disks

Study this concept interactively in the AZ-104 app →

VM Data Disks

Explanation

**Explanation**: Additional storage disks attached to VMs for application data, separate from the OS disk. Provide persistent storage that survives VM deletion, supports different performance tiers, and can be managed independently.

Examples

**Examples**: Database storage, application logs, file shares, backup storage, content repositories, temporary storage for processing.

Enterprise Use Case

**Use Case**: Applications requiring additional storage beyond OS disk, database servers needing high IOPS, separating system and application data for better management.

Diagram

**Visual**: 
🎨 VM Data Disk Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                    💾 VM DISK ARCHITECTURE                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│    🖥️ VIRTUAL MACHINE│    │        💽 STORAGE CONFIGURATION     │
│                     │───►│                                     │
│ VM Name: WebServer01│    │  ┌─────────────────────────────────┐│
│ Size: Standard_D4s  │    │  │OS Disk (C:) - Premium SSD      ││
│ OS: Windows 2019    │    │  │Size: 128GB                     ││
│                     │    │  │IOPS: 500                       ││
│ Mounted Disks:      │    │  │Encryption: Platform managed    ││
│ ├─ C: (OS Disk)     │    │  └─────────────────────────────────┘│
│ ├─ E: (Data Disk 1) │    │                                     │
│ ├─ F: (Data Disk 2) │    │  ┌─────────────────────────────────┐│
│ └─ T: (Temp Disk)   │    │  │Data Disk 1 (E:) - Premium SSD  ││
└─────────────────────┘    │  │Size: 512GB                     ││
                           │  │IOPS: 2,300                     ││
┌─────────────────────┐    │  │Purpose: Database files          ││
│  📋 DISK MANAGEMENT │───►│  └─────────────────────────────────┘│
│                     │    │                                     │
│ Attach: ✅ Online   │    │  ┌─────────────────────────────────┐│
│ Format: ✅ NTFS     │    │  │Data Disk 2 (F:) - Standard SSD ││
│ Mount: ✅ E:, F:    │    │  │Size: 1TB                       ││
│ Backup: ✅ Enabled  │    │  │IOPS: 500                       ││
│                     │    │  │Purpose: Application logs        ││
│ PowerShell:         │    │  └─────────────────────────────────┘│
│ Get-Disk           │    │                                     │
│ Initialize-Disk    │    │  ┌─────────────────────────────────┐│
│ New-Partition      │    │  │Temp Disk (T:) - Local SSD      ││
│ Format-Volume      │    │  │Size: 32GB (VM size dependent)  ││
└─────────────────────┘    │  │IOPS: High (local storage)      ││
                           │  │⚠️ Not persistent - VM restart  ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Disk Types & Performance:
─────────────────────────
🏆 Ultra SSD:     Up to 160,000 IOPS, 2,000 MB/s
⚡ Premium SSD:   Up to 20,000 IOPS, 900 MB/s  
📊 Standard SSD:  Up to 6,000 IOPS, 750 MB/s
💿 Standard HDD:  Up to 2,000 IOPS, 500 MB/s

Study this concept interactively in the AZ-104 app →

VM Snapshots

Explanation

**Explanation**: Point-in-time copies of VM disks that capture the state of data for backup, recovery, or cloning purposes. Incremental snapshots save space by only storing changed blocks since the last snapshot.

Examples

**Examples**: Before major updates or changes, creating development environments from production, disaster recovery scenarios, compliance and audit requirements.

Enterprise Use Case

**Use Case**: IT teams use snapshots for data protection, environment provisioning, testing scenarios, and quick rollback capabilities during maintenance windows.

Diagram

**Visual**: 
🎨 VM Snapshot Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                    📸 SNAPSHOT LIFECYCLE                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💾 ORIGINAL DISK   │    │         📸 SNAPSHOT CREATION        │
│                     │───►│                                     │
│ VM: ProductionWeb   │    │  az snapshot create \               │
│ Disk: 500GB         │    │    --resource-group myRG \          │
│ Used: 300GB         │    │    --source-disk webserver-disk \  │
│                     │    │    --name snapshot-20250110        │
│ Applications:       │    │                                     │
│ ├─ Web Server       │    │  Status: ✅ Completed               │
│ ├─ Database         │    │  Time: 5 minutes                   │
│ ├─ Monitoring       │    │  Size: 300GB (incremental)         │
│ └─ Logs            │    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 SNAPSHOT OPERATIONS                      │
└─────────────────────────────────────────────────────────────────┘

📋 Create New VM from Snapshot:
──────────────────────────────────
1️⃣ az disk create --source snapshot-20250110
2️⃣ az vm create --attach-os-disk newdisk
3️⃣ Configure networking and resources
4️⃣ ✅ New VM ready with identical state

💿 Restore Original Disk:
────────────────────────
1️⃣ Stop VM
2️⃣ az disk create --source snapshot-20250110  
3️⃣ Swap disk in VM configuration
4️⃣ ✅ VM restored to snapshot state

┌─────────────────────┐    ┌─────────────────────────────────────┐
│ 📊 SNAPSHOT CHAIN  │    │        💰 COST OPTIMIZATION         │
│                     │───►│                                     │
│ Base: 300GB         │    │  Incremental snapshots:             │
│ Day 1: +5GB         │    │  ├─ Only changed blocks stored      │
│ Day 2: +3GB         │    │  ├─ Reduces storage costs           │
│ Day 3: +7GB         │    │  └─ Faster snapshot creation        │
│                     │    │                                     │
│ Total: 315GB actual │    │  Retention policies:                │
│ vs 1,200GB full     │    │  ├─ Daily: 7 days                  │
└─────────────────────┘    │  ├─ Weekly: 4 weeks                │
                           │  └─ Monthly: 12 months              │
                           └─────────────────────────────────────┘

Snapshot Benefits:
──────────────────
⚡ Fast Recovery - Restore in minutes
💰 Cost Effective - Incremental storage  
🔄 Versioning - Multiple recovery points
🛡️ Data Protection - Against corruption/deletion
🎯 Testing - Safe environment creation

Study this concept interactively in the AZ-104 app →

Create App Service

Explanation

**Explanation**: Process of creating web applications, REST APIs, and mobile backends on Azure App Service platform. Includes selecting service plans, configuring runtime environments, and setting up deployment methods.

Examples

**Examples**: Creating web apps for different frameworks (.NET, Python, Node.js), API backends, mobile app services, microservices endpoints.

Enterprise Use Case

**Use Case**: Development teams use App Service for hosting web applications, creating scalable APIs, building mobile backends, and implementing serverless web solutions.

Diagram

**Visual**: 
🎨 App Service Creation Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🏗️ APP SERVICE CREATION                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 CONFIGURATION   │    │         🚀 DEPLOYMENT OPTIONS       │
│                     │───►│                                     │
│ App Name:           │    │  ┌─────────────────────────────────┐│
│ mywebapp2025        │    │  │📦 Source Code Options:          ││
│                     │    │  │├─ GitHub                        ││
│ Runtime Stack:      │    │  │├─ Azure DevOps                 ││
│ ├─ .NET 6           │    │  │├─ Bitbucket                    ││
│ ├─ Python 3.9       │    │  │├─ Local Git                    ││
│ ├─ Node.js 18       │    │  │└─ Docker Container             ││
│ ├─ PHP 8.0          │    │  └─────────────────────────────────┘│
│ └─ Java 11          │    │                                     │
│                     │    │  ┌─────────────────────────────────┐│
│ Region:             │    │  │⚙️ Configuration:                ││
│ East US             │    │  │├─ Environment variables        ││
│                     │    │  │├─ Connection strings           ││
│ App Service Plan:   │    │  │├─ SSL certificates             ││
│ Standard S1         │    │  │└─ Custom domains               ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🛠️ CREATION METHODS                         │
└─────────────────────────────────────────────────────────────────┘

🖥️ Azure Portal:
──────────────────
1️⃣ Create resource → Web App
2️⃣ Configure basics (name, runtime, plan)
3️⃣ Set deployment source
4️⃣ Review + Create

💻 Azure CLI:
─────────────
az webapp create \
  --resource-group myRG \
  --plan myAppServicePlan \
  --name mywebapp2025 \
  --runtime "DOTNET|6.0"

⚡ PowerShell:
──────────────
New-AzWebApp \
  -ResourceGroupName "myRG" \
  -Name "mywebapp2025" \
  -AppServicePlan "myplan"

App Service Benefits:
────────────────────
🔄 Auto-scaling - Handle traffic spikes
🛡️ Built-in Security - HTTPS, authentication
🔧 Easy Management - No server maintenance
💰 Pay-per-use - Cost-effective pricing
🌍 Global Scale - Multiple regions available

Study this concept interactively in the AZ-104 app →

Container Groups

Explanation

**Explanation**: Collection of containers scheduled on the same host machine that share lifecycle, resources, local network, and storage volumes. Enables multi-container applications with sidecar patterns and service composition.

Examples

**Examples**: Web application with Redis cache, application with logging sidecar, database with backup agent, microservices that need to run together.

Enterprise Use Case

**Use Case**: Applications requiring multiple containers to work together, sidecar patterns for logging/monitoring, tightly coupled services, and scenarios needing shared storage or networking.

Diagram

**Visual**: 
🎨 Container Group Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    👨‍👩‍👧‍👦 CONTAINER GROUP                          │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🏠 SHARED RESOURCES │    │         📦 CONTAINER INSTANCES      │
│                     │───►│                                     │
│ Public IP:          │    │  ┌─────────────────────────────────┐│
│ 20.1.2.3            │    │  │Container 1: Web Application     ││
│                     │    │  │├─ Image: nginx:latest           ││
│ DNS Name:           │    │  │├─ Port: 80                      ││
│ myapp.eastus.       │    │  │├─ CPU: 1 core                   ││
│ azurecontainer.io   │    │  │└─ Memory: 1GB                   ││
│                     │    │  └─────────────────────────────────┘│
│ Storage:            │    │                                     │
│ Azure File Share    │    │  ┌─────────────────────────────────┐│
│ /data volume        │    │  │Container 2: Redis Cache        ││
│                     │    │  │├─ Image: redis:alpine           ││
│ Network:            │    │  │├─ Port: 6379 (internal)         ││
│ Virtual Network     │    │  │├─ CPU: 0.5 core                 ││
│ Private subnet      │    │  │└─ Memory: 512MB                 ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           │                                     │
┌─────────────────────┐    │  ┌─────────────────────────────────┐│
│   🔄 LIFECYCLE       │───►│  │Container 3: Logging Sidecar    ││
│                     │    │  │├─ Image: fluentd:latest         ││
│ Start: All together │    │  │├─ Purpose: Log aggregation      ││
│ Stop: All together  │    │  │├─ CPU: 0.25 core                ││
│ Scale: As a unit    │    │  │└─ Memory: 256MB                 ││
│ Billing: Per group  │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Communication Patterns:
──────────────────────
🔗 Localhost - Containers communicate via 127.0.0.1
💾 Shared Volumes - Common storage access
🌐 Single IP - External access through one endpoint
📊 Monitoring - Aggregate logs and metrics

Container Group YAML:
─────────────────────
apiVersion: '2021-03-01'
location: eastus
properties:
  containers:
  - name: web-app
    properties:
      image: nginx
      ports: [80]
      resources:
        requests: {cpu: 1, memory: 1}
  - name: cache
    properties:
      image: redis
      resources:
        requests: {cpu: 0.5, memory: 0.5}

Study this concept interactively in the AZ-104 app →

Attach Data Disks to VMs

Explanation

**Explanation**: Process of adding additional storage disks to existing virtual machines for expanded storage capacity. Includes creating new disks, attaching existing disks, and configuring them within the VM operating system.

Examples

**Examples**: Adding database storage disk, attaching backup volumes, expanding application storage, mounting shared data disks across multiple VMs.

Enterprise Use Case

**Use Case**: Applications requiring storage expansion, database servers needing additional disk space, separating data from OS disks, and implementing storage tiering strategies.

Diagram

**Visual**: 
🎨 Disk Attachment Process:

┌─────────────────────────────────────────────────────────────────┐
│                    💾 DISK ATTACHMENT WORKFLOW                 │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🖥️ VIRTUAL MACHINE │    │         💽 AVAILABLE DISKS          │
│                     │◄───│                                     │
│ Current Disks:      │    │  ┌─────────────────────────────────┐│
│ ├─ OS Disk (C:)     │    │  │New Disk: data-disk-01          ││
│ └─ Temp Disk (D:)   │    │  │Size: 1TB                       ││
│                     │    │  │Type: Premium SSD                ││
│ Available Letters:  │    │  │Status: ⏳ Available             ││
│ E:, F:, G:, H:...   │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ VM Status:          │    │  ┌─────────────────────────────────┐│
│ ✅ Running          │    │  │Existing Disk: backup-disk-02   ││
│ (Hot attach supported)│   │  │Size: 2TB                       ││
└─────────────────────┘    │  │Type: Standard HDD               ││
                           │  │Status: ⏳ Unattached            ││
┌─────────────────────┐    │  └─────────────────────────────────┘│
│  ⚙️ ATTACHMENT STEPS │───►└─────────────────────────────────────┘
│                     │    
│ 1️⃣ Create/Select Disk│    ┌─────────────────────────────────────┐
│ 2️⃣ Attach to VM     │    │         🔧 POST-ATTACHMENT          │
│ 3️⃣ Configure in OS  │───►│                                     │
│ 4️⃣ Mount & Format   │    │  Windows Commands:                  │
│                     │    │  ┌─────────────────────────────────┐│
│ Azure CLI:          │    │  │diskpart                         ││
│ az vm disk attach \ │    │  │list disk                        ││
│   --vm-name myVM \  │    │  │select disk 2                    ││
│   --name data-disk-01│    │  │create partition primary         ││
│                     │    │  │active                           ││
│ PowerShell:         │    │  │assign letter=E                  ││
│ Add-AzVMDataDisk \  │    │  │format fs=ntfs quick             ││
│   -VM $vm \         │    │  └─────────────────────────────────┘│
│   -Name "data-disk" \│    │                                     │
│   -CreateOption Attach│   │  Result: New E: drive available    │
└─────────────────────┘    └─────────────────────────────────────┘

Attachment Benefits:
──────────────────────
🔄 Hot Attach - No VM restart required
⚡ Immediate - Available in seconds
🔒 Persistent - Survives VM restart/shutdown
📊 Performance - Choose appropriate disk type
💰 Cost Control - Pay only for what you use

Study this concept interactively in the AZ-104 app →

Container Images for Azure Container Instances

Explanation

**Explanation**: Pre-built container images that serve as blueprints for creating container instances. Images contain application code, runtime, libraries, and dependencies packaged together. Azure supports public images from Docker Hub and private images from Azure Container Registry.

Examples

**Examples**: Using nginx:latest for web servers, microsoft/dotnet:6.0 for .NET apps, python:3.9-slim for Python applications, custom images with proprietary business logic.

Enterprise Use Case

**Use Case**: DevOps teams use container images to ensure consistent application deployment across environments, package microservices, and distribute containerized applications.

Diagram

**Visual**: 
🎨 Container Image Selection and Management:

┌─────────────────────────────────────────────────────────────────┐
│                    📦 CONTAINER IMAGE SOURCES                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🌐 PUBLIC IMAGES   │    │         🔒 PRIVATE IMAGES          │
│                     │    │                                     │
│ Docker Hub:         │    │  Azure Container Registry (ACR):   │
│ ├─ nginx:latest     │    │  ├─ myacr.azurecr.io/webapp:v1.0   │
│ ├─ redis:alpine     │    │  ├─ myacr.azurecr.io/api:latest    │
│ ├─ postgres:13      │    │  └─ myacr.azurecr.io/worker:dev    │
│ └─ node:18-alpine   │    │                                     │
│                     │    │  Private Registry Benefits:        │
│ Microsoft Images:   │    │  ┌─────────────────────────────────┐│
│ ├─ mcr.microsoft.   │    │  │🔐 Secure proprietary code      ││
│ │  com/dotnet:6.0   │    │  │⚡ Faster pulls (same region)   ││
│ ├─ mcr.microsoft.   │    │  │💰 Bandwidth cost optimization  ││
│ │  com/powershell   │    │  │📊 Usage analytics and scanning ││
│ └─ mcr.microsoft.   │    │  └─────────────────────────────────┘│
│    com/azure-cli    │    └─────────────────────────────────────┘
└─────────────────────┘

🎨 Image Deployment Flow:

┌─────────────────────────────────────────────────────────────────┐
│                    🚀 CONTAINER DEPLOYMENT                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
📦 Image Pull    ───►    🏗️ Container Create    ───►    ▶️ Instance Run

az container create \
  --resource-group myRG \
  --name mycontainer \
  --image nginx:latest \
  --cpu 1 --memory 1.5 \
  --ports 80

Study this concept interactively in the AZ-104 app →

Container Sizing and Scaling

Explanation

**Explanation**: Configuration of CPU cores, memory allocation, and scaling policies for Azure Container Instances. Unlike VMs, containers can be precisely sized with fractional CPU cores and specific memory amounts. Scaling is primarily manual or through Azure Container Apps for automatic scaling.

Examples

**Examples**: Allocating 0.5 CPU cores and 1GB RAM for lightweight APIs, 2 cores and 4GB for data processing, setting resource limits to prevent overconsumption.

Enterprise Use Case

**Use Case**: Cost optimization by right-sizing containers, performance tuning for specific workloads, resource planning for container deployments.

Diagram

**Visual**: 
🎨 Container Resource Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                    ⚖️ RESOURCE ALLOCATION                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💻 CPU SIZING      │    │         🧠 MEMORY ALLOCATION        │
│                     │    │                                     │
│ Fractional Cores:   │    │  Memory Ranges:                    │
│ ├─ 0.1 cores (100m) │    │  ├─ 0.5 GB (lightweight)          │
│ ├─ 0.5 cores        │    │  ├─ 1.0 GB (standard web)         │
│ ├─ 1.0 cores        │    │  ├─ 2.0 GB (API processing)       │
│ ├─ 2.0 cores        │    │  ├─ 4.0 GB (data processing)      │
│ └─ 4.0 cores (max)  │    │  └─ 14.0 GB (maximum)             │
│                     │    │                                     │
│ CPU Features:       │    │  Memory Features:                  │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │⚡ Burstable      │ │    │  │📊 Precise allocation           ││
│ │🎯 Precise sizing │ │    │  │💰 Pay-per-GB pricing          ││
│ │💰 Cost effective│ │    │  │🔄 Runtime adjustable           ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

🎨 Sizing Examples:

┌─────────────────────────────────────────────────────────────────┐
│                    📊 WORKLOAD SIZING GUIDE                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🌐 Web Frontend     📡 API Service      🔢 Data Processing    🗄️ Database
├─ 0.5 CPU         ├─ 1.0 CPU          ├─ 2.0 CPU           ├─ 1.0 CPU
├─ 1.0 GB RAM      ├─ 2.0 GB RAM       ├─ 4.0 GB RAM        ├─ 3.0 GB RAM
└─ Port 80/443     └─ Port 8080        └─ Batch jobs        └─ Port 5432

Example Sizing Command:
az container create \
  --name data-processor \
  --cpu 2.0 \
  --memory 4.0 \
  --image myapp:latest

Study this concept interactively in the AZ-104 app →

Portal Container Management

Explanation

**Explanation**: Azure Portal graphical interface for creating, configuring, and managing Azure Container Instances. Provides visual forms for container deployment, monitoring dashboards, and log viewing capabilities.

Examples

**Examples**: Creating containers through Portal forms, viewing container logs in real-time, monitoring CPU and memory usage graphs, managing container groups.

Enterprise Use Case

**Use Case**: Operations teams use Portal for visual container management, troubleshooting through GUI tools, and quick container deployments without CLI knowledge.

Diagram

**Visual**: 
🎨 Azure Portal Container Management Interface:

┌─────────────────────────────────────────────────────────────────┐
│                    🖥️ PORTAL NAVIGATION                        │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 CREATE FORM     │    │         📊 MONITORING DASHBOARD    │
│                     │    │                                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Basics:          │ │    │  │📈 Performance Metrics:          ││
│ │├─ Container name│ │    │  │├─ CPU Usage: 45%               ││
│ │├─ Resource group│ │    │  │├─ Memory: 1.2GB/2.0GB          ││
│ │├─ Region        │ │    │  │├─ Network I/O: 1.5 MB/s        ││
│ │└─ Image source  │ │    │  │└─ Disk I/O: 245 KB/s           ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Networking:      │ │    │  │📝 Live Logs:                   ││
│ │├─ DNS name      │ │    │  │2025-01-10 10:30:15 INFO App   ││
│ │├─ Ports         │ │    │  │Started successfully             ││
│ │└─ Protocol      │ │    │  │2025-01-10 10:30:20 DEBUG      ││
│ └─────────────────┘ │    │  │Processing request #1234         ││
│                     │    │  │2025-01-10 10:30:25 INFO       ││
│ ┌─────────────────┐ │    │  │Response sent (200 OK)          ││
│ │Advanced:        │ │    │  └─────────────────────────────────┘│
│ │├─ Environment   │ │    └─────────────────────────────────────┘
│ │├─ Resources     │ │
│ │└─ Restart policy│ │
│ └─────────────────┘ │
└─────────────────────┘

Portal Benefits:
────────────────────
🖱️ Point-and-click interface
📊 Visual monitoring charts  
📝 Real-time log streaming
🔍 Easy troubleshooting tools
📋 Form validation and guidance

Study this concept interactively in the AZ-104 app →

CLI Container Management

Explanation

**Explanation**: Azure CLI commands for creating, managing, and monitoring Azure Container Instances from command line. Provides scriptable, automated container deployment and management capabilities.

Examples

**Examples**: Creating containers with az container create, viewing logs with az container logs, setting environment variables, configuring restart policies.

Enterprise Use Case

**Use Case**: DevOps automation, CI/CD pipelines, batch container deployments, infrastructure-as-code implementations, and scripted container management.

Diagram

**Visual**: 
🎨 Azure CLI Container Commands:

┌─────────────────────────────────────────────────────────────────┐
│                    💻 CLI COMMAND REFERENCE                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🚀 CREATE & DEPLOY │    │         📊 MONITOR & MANAGE         │
│                     │    │                                     │
│ Basic Creation:     │    │  View Container Logs:               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │az container     │ │    │  │az container logs \             ││
│ │create \         │ │    │  │  --resource-group myRG \       ││
│ │  --name myapp \  │ │    │  │  --name mycontainer \          ││
│ │  --image nginx   │ │    │  │  --follow                       ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Advanced Options:   │    │  Container Status:                  │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │--cpu 2.0 \      │ │    │  │az container show \             ││
│ │--memory 4.0 \   │ │    │  │  --resource-group myRG \       ││
│ │--ports 80 443 \  │ │    │  │  --name mycontainer \          ││
│ │--environment-   │ │    │  │  --query instanceView.state     ││
│ │variables         │ │    │  └─────────────────────────────────┘│
│ │KEY1=value1 \    │ │    │                                     │
│ │--dns-name my.app │ │    │  Execute Commands:                  │
│ └─────────────────┘ │    │  ┌─────────────────────────────────┐│
└─────────────────────┘    │  │az container exec \             ││
                           │  │  --resource-group myRG \       ││
┌─────────────────────┐    │  │  --name mycontainer \          ││
│   🔄 LIFECYCLE MGMT  │───►│  │  --exec-command "/bin/bash"     ││
│                     │    │  └─────────────────────────────────┘│
│ Stop Container:     │    └─────────────────────────────────────┘
│ ┌─────────────────┐ │    
│ │az container stop│ │    ┌─────────────────────────────────────┐
│ │  --name myapp   │ │    │         🗑️ CLEANUP OPERATIONS        │
│ └─────────────────┘ │    │                                     │
│                     │    │  Delete Container:                  │
│ Start Container:    │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │az container delete \           ││
│ │az container     │ │───►│  │  --resource-group myRG \       ││
│ │start \          │ │    │  │  --name mycontainer \          ││
│ │  --name myapp   │ │    │  │  --yes                          ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

CLI Benefits:
─────────────────
⚡ Fast deployment
🔄 Scriptable automation  
📝 Infrastructure as Code
🔧 Precise control
🎯 Pipeline integration

Study this concept interactively in the AZ-104 app →

Secure App Service

Explanation

**Explanation**: Security configurations for Azure App Service including SSL certificates, authentication providers, IP restrictions, and managed identities. Ensures applications meet enterprise security requirements.

Examples

**Examples**: Implementing Azure AD authentication, restricting access by IP address, enabling HTTPS-only traffic, configuring custom SSL certificates.

Enterprise Use Case

**Use Case**: Enterprise applications requiring authentication, regulatory compliance, restricting access to internal networks, and protecting sensitive data.

Diagram

**Visual**: 
🎨 App Service Security Layers:

┌─────────────────────────────────────────────────────────────────┐
│                    🛡️ SECURITY ARCHITECTURE                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🔐 AUTHENTICATION  │    │         🌐 NETWORK SECURITY         │
│                     │    │                                     │
│ Identity Providers: │    │  IP Restrictions:                   │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │🏢 Azure AD      │ │    │  │Allow: 10.0.0.0/8 (Corporate)  ││
│ │📘 Facebook      │ │    │  │Allow: 203.0.113.0/24 (Office) ││
│ │🐦 Twitter       │ │    │  │Deny: 0.0.0.0/0 (All Others)   ││
│ │🔍 Google        │ │    │  └─────────────────────────────────┘│
│ │📧 Microsoft     │ │    │                                     │
│ └─────────────────┘ │    │  Virtual Network Integration:       │
│                     │    │  ┌─────────────────────────────────┐│
│ Easy Auth Config:   │    │  │VNet Subnet: 10.1.0.0/24       ││
│ ┌─────────────────┐ │    │  │Private Endpoints: Enabled      ││
│ │{                │ │    │  │Service Endpoints: Storage      ││
│ │ "enabled": true,│ │    │  │Access: Private only            ││
│ │ "provider": "aad│ │    │  └─────────────────────────────────┘│
│ │ "clientId": "..." │    └─────────────────────────────────────┘
│ │}                │ │    
│ └─────────────────┘ │    ┌─────────────────────────────────────┐
└─────────────────────┘    │         🔒 SSL/TLS ENCRYPTION       │
                           │                                     │
┌─────────────────────┐    │  Certificate Options:               │
│   🔑 MANAGED IDENTITY│───►│  ┌─────────────────────────────────┐│
│                     │    │  │🔹 App Service Managed Cert     ││
│ System Assigned:    │    │  │🔹 Custom Certificate Upload    ││
│ ┌─────────────────┐ │    │  │🔹 Key Vault Integration        ││
│ │Object ID:       │ │    │  │🔹 Let's Encrypt (Free)         ││
│ │12345678-abcd... │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  HTTPS Configuration:               │
│ User Assigned:      │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │HTTPS Only: ✅ Enabled          ││
│ │Custom Identity  │ │    │  │HTTP to HTTPS: ✅ Redirect      ││
│ │Resource ID      │ │    │  │TLS Version: 1.2 minimum        ││
│ └─────────────────┘ │    │  │HSTS: ✅ Enabled               ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Security Commands:
────────────────────
az webapp auth update --enabled true --action LoginWithAzureActiveDirectory
az webapp config ssl bind --certificate-thumbprint xxx --ssl-type SNI  
az webapp config access-restriction add --rule-name "Office" --priority 100

Study this concept interactively in the AZ-104 app →

Azure Kubernetes Service (AKS) Clusters

Explanation

**Explanation**: Managed Kubernetes service that handles cluster management, scaling, and maintenance. Provides enterprise-grade security, monitoring, and integration with Azure services for containerized applications.

Examples

**Examples**: Creating production Kubernetes clusters, deploying microservices, implementing auto-scaling, running batch jobs, hosting web applications.

Enterprise Use Case

**Use Case**: Organizations running complex containerized workloads, microservices architectures, CI/CD pipelines, and applications requiring orchestration and scaling.

Diagram

**Visual**: 
🎨 AKS Cluster Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    ☸️ AKS CLUSTER OVERVIEW                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🎛️ CONTROL PLANE   │    │         👷 WORKER NODES             │
│   (Microsoft Managed)│    │                                     │
│                     │    │  ┌─────────────────────────────────┐│
│ API Server         │    │  │Node Pool 1: System             ││
│ Controller Manager  │    │  │├─ VM Size: Standard_D2s_v3      ││
│ Scheduler          │    │  │├─ Count: 3 nodes               ││
│ etcd              │    │  │├─ OS: Ubuntu 20.04              ││
│                     │───►│  │└─ Role: System workloads        ││
│ Features:           │    │  └─────────────────────────────────┘│
│ ┌─────────────────┐ │    │                                     │
│ │✅ Auto-updates   │ │    │  ┌─────────────────────────────────┐│
│ │✅ Auto-scaling   │ │    │  │Node Pool 2: User               ││
│ │✅ Auto-healing   │ │    │  │├─ VM Size: Standard_D4s_v3      ││
│ │✅ 99.95% SLA     │ │    │  │├─ Count: 2-10 nodes (auto-scale)││
│ └─────────────────┘ │    │  │├─ OS: Ubuntu 20.04              ││
└─────────────────────┘    │  │└─ Role: Application workloads   ││
                           │  └─────────────────────────────────┘│
┌─────────────────────┐    └─────────────────────────────────────┘
│   🔌 AZURE SERVICES  │    
│                     │    ┌─────────────────────────────────────┐
│ Container Registry  │    │         📦 WORKLOAD TYPES           │
│ (Image Storage)     │    │                                     │
│                     │───►│  Pod Deployments:                   │
│ Load Balancer       │    │  ┌─────────────────────────────────┐│
│ (Traffic Distribution)   │  │🌐 Web Apps (Nginx, React)      ││
│                     │    │  │📡 APIs (Node.js, .NET)         ││
│ Virtual Network     │    │  │🗄️ Databases (PostgreSQL)       ││
│ (Network Isolation) │    │  │🔄 Background Jobs (Redis)       ││
│                     │    │  │📊 Monitoring (Prometheus)       ││
│ Azure Monitor       │    │  └─────────────────────────────────┘│
│ (Logging & Metrics) │    └─────────────────────────────────────┘
└─────────────────────┘

AKS Creation:
─────────────────
az aks create \
  --resource-group myRG \
  --name myAKSCluster \
  --node-count 3 \
  --enable-addons monitoring \
  --generate-ssh-keys

kubectl get nodes

Study this concept interactively in the AZ-104 app →

App Service Pricing Tiers

Explanation

**Explanation**: Different pricing tiers for Azure App Service including Free, Shared, Basic, Standard, Premium, and Isolated levels. Each tier provides different features, performance, and scaling capabilities.

Examples

**Examples**: Free tier for development, Basic for small production apps, Standard for auto-scaling needs, Premium for high performance, Isolated for enterprise security.

Enterprise Use Case

**Use Case**: Cost optimization by choosing appropriate tiers, scaling applications based on traffic, meeting performance requirements, and compliance needs.

Diagram

**Visual**: 
🎨 App Service Pricing Tiers Comparison:

┌─────────────────────────────────────────────────────────────────┐
│                    💰 PRICING TIER OVERVIEW                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🆓 FREE & SHARED   │    │         💵 PAID TIERS               │
│                     │    │                                     │
│ Free (F1):          │    │  Basic (B1, B2, B3):               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │💰 $0/month      │ │    │  │💰 $13-52/month                 ││
│ │⏱️ 60min CPU/day │ │    │  │🖥️ Dedicated VM instances        ││
│ │💾 1GB storage   │ │    │  │🔄 Manual scaling up to 3       ││
│ │🌐 Custom domain │ │    │  │💾 10GB-250GB storage           ││
│ │❌ No SSL       │ │    │  │🔒 Custom SSL supported         ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Shared (D1):        │    │  Standard (S1, S2, S3):            │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │💰 $10/month     │ │    │  │💰 $75-300/month                ││
│ │⏱️ 240min CPU/day│ │    │  │⚡ Auto-scaling up to 10        ││
│ │💾 1GB storage   │ │    │  │🎯 Staging slots               ││
│ │🔒 Custom SSL    │ │    │  │📊 Traffic Manager integration  ││
│ │🌐 Custom domain │ │    │  │🔄 Daily backups               ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🏆 PREMIUM & ENTERPRISE                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💎 PREMIUM TIERS   │    │         🏢 ISOLATED TIER            │
│                     │    │                                     │
│ Premium v2 (P1v2-3):│    │  Isolated (I1, I2, I3):            │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │💰 $146-584/month│ │    │  │💰 $438-1,168/month             ││
│ │⚡ Auto-scale 30  │ │    │  │🛡️ App Service Environment       ││
│ │💾 250GB storage │ │    │  │🔒 Network isolation            ││
│ │🎯 20 slots      │ │    │  │🏢 Dedicated infrastructure     ││
│ │🔄 4 daily backups│ │    │  │📊 Private VNet integration     ││
│ └─────────────────┘ │    │  │⚡ Auto-scale up to 100         ││
│                     │    │  └─────────────────────────────────┘│
│ Premium v3 (P1v3-3):│    │                                     │
│ ┌─────────────────┐ │    │  Use Cases:                         │
│ │💰 $219-876/month│ │    │  ┌─────────────────────────────────┐│
│ │⚡ Auto-scale 30  │ │    │  │🏥 Healthcare applications      ││
│ │💾 250GB storage │ │    │  │🏦 Financial services           ││
│ │🎯 20 slots      │ │    │  │🏛️ Government workloads          ││
│ │🚀 Better perf   │ │    │  │🔐 High compliance requirements ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

🎨 Tier Selection Decision Tree:

Development → Free Tier
Small Production → Basic Tier  
Auto-scaling Needed → Standard Tier
High Performance → Premium Tier
Enterprise Security → Isolated Tier

Study this concept interactively in the AZ-104 app →

VM Network Settings

Explanation

**Explanation**: Network configuration options for Azure Virtual Machines including NIC assignment, IP addressing, DNS settings, network security groups, and load balancer association.

Examples

**Examples**: Assigning static IP addresses, configuring multiple NICs, setting custom DNS servers, associating NSGs, joining load balancer backend pools.

Enterprise Use Case

**Use Case**: Network isolation, multi-tier applications, high availability configurations, security implementations, and complex networking scenarios.

Diagram

**Visual**: 
🎨 VM Network Configuration Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🌐 VM NETWORK ARCHITECTURE                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💻 VIRTUAL MACHINE │    │         🔗 NETWORK INTERFACES       │
│                     │    │                                     │
│ VM: web-server-01   │◄───┤  Primary NIC (nic-web-01):         │
│ Status: Running     │    │  ┌─────────────────────────────────┐│
│ Size: Standard_B2s  │    │  │Private IP: 10.0.1.4 (Static)   ││
│                     │    │  │Public IP: 20.1.2.3 (Dynamic)   ││
│ Network Settings:   │    │  │Subnet: web-subnet              ││
│ ┌─────────────────┐ │    │  │VNet: production-vnet           ││
│ │✅ IP Forwarding │ │    │  │NSG: web-nsg                    ││
│ │✅ Accelerated   │ │    │  └─────────────────────────────────┘│
│ │   Networking    │ │    │                                     │
│ │✅ Public IP     │ │    │  Secondary NIC (nic-web-02):        │
│ │❌ Boot Diag     │ │    │  ┌─────────────────────────────────┐│
│ └─────────────────┘ │    │  │Private IP: 10.0.2.4 (Static)   ││
└─────────────────────┘    │  │Public IP: None                 ││
                           │  │Subnet: backend-subnet          ││
┌─────────────────────┐    │  │VNet: production-vnet           ││
│   🛡️ SECURITY RULES  │───►│  │NSG: backend-nsg                ││
│                     │    │  └─────────────────────────────────┘│
│ Effective NSG Rules:│    └─────────────────────────────────────┘
│ ┌─────────────────┐ │    
│ │Allow HTTP:80    │ │    ┌─────────────────────────────────────┐
│ │Allow HTTPS:443  │ │    │         🌍 DNS CONFIGURATION        │
│ │Allow SSH:22     │ │    │                                     │
│ │Deny All Other   │ │───►│  DNS Settings:                      │
│ └─────────────────┘ │    │  ┌─────────────────────────────────┐│
│                     │    │  │Primary DNS: 168.63.129.16       ││
│ Load Balancer:      │    │  │Secondary DNS: 8.8.8.8           ││
│ ┌─────────────────┐ │    │  │Search Domain: contoso.com       ││
│ │Backend Pool:    │ │    │  │Register in DNS: ✅ Yes          ││
│ │  web-pool       │ │    │  └─────────────────────────────────┘│
│ │Health Probe:    │ │    │                                     │
│ │  HTTP:80/health │ │    │  Hostname Resolution:               │
│ └─────────────────┘ │    │  ┌─────────────────────────────────┐│
└─────────────────────┘    │  │VM FQDN: web-server-01.eastus.  ││
                           │  │        cloudapp.azure.com       ││
                           │  │Internal: web-server-01.internal ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Network Configuration Commands:
─────────────────────────────────
az vm nic add --vm-name myVM --nics nic-web-02
az network nic ip-config update --nic-name nic-web-01 --private-ip-address 10.0.1.4
az vm open-port --port 80 --priority 1000

Study this concept interactively in the AZ-104 app →

Bicep Files

Explanation

**Explanation**: Domain-specific language (DSL) for deploying Azure resources that compiles to ARM templates. Provides simpler syntax, better type safety, and improved authoring experience compared to JSON ARM templates.

Examples

**Examples**: Creating VM deployments, storage account configurations, network setups, multi-resource applications, parameterized infrastructure templates.

Enterprise Use Case

**Use Case**: Infrastructure as Code implementations, repeatable deployments, version-controlled infrastructure, simplified ARM template authoring.

Diagram

**Visual**: 
🎨 Bicep vs ARM Template Comparison:

┌─────────────────────────────────────────────────────────────────┐
│                    💪 BICEP ADVANTAGES                         │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📝 BICEP SYNTAX    │    │         📄 ARM TEMPLATE JSON       │
│                     │    │                                     │
│ // Storage Account  │    │  {                                  │
│ resource storage    │    │    "type": "Microsoft.Storage/     │
│ 'Microsoft.Storage/ │    │            storageAccounts",       │
│ storageAccounts@... │    │    "apiVersion": "2021-04-01",     │
│ {                   │    │    "name": "[parameters('name')]", │
│   name: storageNa.. │    │    "location": "[parameters('loc']│
│   location: location│    │    "sku": {                        │
│   sku: {            │───►│      "name": "[parameters('sku')]" │
│     name: 'Standard │    │    },                              │
│     _LRS'           │    │    "kind": "StorageV2",            │
│   }                 │    │    "properties": {                 │
│   kind: 'StorageV2' │    │      "accessTier": "Hot"           │
│   properties: {     │    │    }                               │
│     accessTier: 'Hot'│   │  }                                  │
│   }                 │    │                                     │
│ }                   │    └─────────────────────────────────────┘
└─────────────────────┘    

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 BICEP WORKFLOW                           │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
📝 Write Bicep    ───►    🔧 Compile    ───►    🚀 Deploy ARM

Bicep File (.bicep)    →    ARM Template    →    Azure Resources
                                (.json)

┌─────────────────────────────────────────────────────────────────┐
│                    🛠️ BICEP FEATURES                           │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   ✨ LANGUAGE FEATURES│    │         🔧 TOOLING SUPPORT          │
│                     │    │                                     │
│ Type Safety:        │    │  VS Code Extension:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │✅ IntelliSense   │ │    │  │🔍 Syntax highlighting          ││
│ │✅ Auto-complete │ │    │  │🔧 Error detection              ││
│ │✅ Error detection│ │    │  │📖 Documentation hover          ││
│ │✅ Refactoring   │ │    │  │🔄 Auto-completion              ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Modular Design:     │    │  CLI Commands:                      │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │📦 Modules       │ │    │  │az bicep build main.bicep       ││
│ │🔄 Reusability   │ │───►│  │az deployment group create \    ││
│ │🎯 Parameters    │ │    │  │  --template-file main.bicep     ││
│ │📤 Outputs       │ │    │  │az bicep decompile template.json││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Example Bicep Deployment:
────────────────────────────
// main.bicep
param location string = resourceGroup().location
param vmName string = 'myVM'

module vm 'modules/vm.bicep' = {
  name: 'vmDeployment'
  params: {
    vmName: vmName
    location: location
  }
}

Study this concept interactively in the AZ-104 app →

Custom Domain Names for App Service

Explanation

**Explanation**: Configuration of custom domain names for Azure App Service applications, including domain verification, DNS configuration, and SSL certificate binding for production-ready web applications.

Examples

**Examples**: Setting up www.contoso.com for web apps, configuring subdomain routing, implementing CNAME records, binding SSL certificates to custom domains.

Enterprise Use Case

**Use Case**: Professional web applications, brand consistency, SEO optimization, user-friendly URLs, and enterprise application hosting.

Diagram

**Visual**: 
🎨 Custom Domain Configuration Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🌐 DOMAIN SETUP WORKFLOW                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📝 DOMAIN PROVIDER │    │         ⚙️ AZURE CONFIGURATION       │
│                     │    │                                     │
│ Domain Registrar:   │    │  App Service Setup:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │GoDaddy          │ │    │  │App Name: mywebapp2025          ││
│ │Namecheap        │ │    │  │Default URL:                    ││
│ │Azure DNS        │ │    │  │mywebapp2025.azurewebsites.net  ││
│ │Route 53         │ │───►│  │                                ││
│ └─────────────────┘ │    │  │Custom Domain Target:            ││
│                     │    │  │www.contoso.com                 ││
│ DNS Records Setup:  │    │  └─────────────────────────────────┘│
│ ┌─────────────────┐ │    │                                     │
│ │Type: CNAME      │ │    │  Domain Verification:               │
│ │Name: www        │ │    │  ┌─────────────────────────────────┐│
│ │Value: mywebapp  │ │    │  │Method 1: TXT Record            ││
│ │  2025.azurewebs │ │    │  │asuid.www.contoso.com           ││
│ │  ites.net       │ │    │  │Value: verification-token-123   ││
│ │TTL: 300         │ │    │  │                                ││
│ └─────────────────┘ │    │  │Method 2: A Record              ││
└─────────────────────┘    │  │20.1.2.3 (App IP)              ││
                           │  └─────────────────────────────────┘│
┌─────────────────────┐    └─────────────────────────────────────┘
│   🔒 SSL CERTIFICATE │    
│                     │    ┌─────────────────────────────────────┐
│ Certificate Options:│    │         🚀 DEPLOYMENT RESULT        │
│ ┌─────────────────┐ │    │                                     │
│ │✅ App Service   │ │    │  Final Configuration:               │
│ │   Managed Cert  │ │    │  ┌─────────────────────────────────┐│
│ │✅ Let's Encrypt │ │───►│  │🌐 www.contoso.com → App        ││
│ │✅ Custom SSL    │ │    │  │🔒 HTTPS enabled automatically  ││
│ │✅ Key Vault     │ │    │  │🔄 HTTP redirects to HTTPS      ││
│ └─────────────────┘ │    │  │⚡ Fast DNS propagation          ││
│                     │    │  │📊 Analytics tracking ready     ││
│ Binding Process:    │    │  └─────────────────────────────────┘│
│ ┌─────────────────┐ │    │                                     │
│ │1. Upload cert   │ │    │  User Journey:                      │
│ │2. Bind to domain│ │    │  ┌─────────────────────────────────┐│
│ │3. Configure SNI │ │    │  │User types: www.contoso.com     ││
│ │4. Test HTTPS    │ │    │  │DNS resolves to Azure IP        ││
│ └─────────────────┘ │    │  │App Service serves content      ││
└─────────────────────┘    │  │SSL ensures secure connection   ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Domain Commands:
──────────────────
az webapp config hostname add --webapp-name myapp --resource-group myRG --hostname www.contoso.com
az webapp config ssl bind --certificate-thumbprint xxx --ssl-type SNI --name myapp

Study this concept interactively in the AZ-104 app →

VM Availability Options

Explanation

**Explanation**: High availability configurations for Azure Virtual Machines including Availability Sets, Availability Zones, and Virtual Machine Scale Sets to ensure resilience against failures.

Examples

**Examples**: Deploying VMs across multiple fault domains, utilizing availability zones for regional resilience, implementing scale sets for auto-scaling.

Enterprise Use Case

**Use Case**: Mission-critical applications, disaster recovery, high availability requirements, and scalable web applications.

Diagram

**Visual**: 
🎨 VM Availability Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🏢 AVAILABILITY ARCHITECTURE                │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🎯 AVAILABILITY SET │    │         🌍 AVAILABILITY ZONES       │
│                     │    │                                     │
│ Fault/Update Domain │    │  Zone-Redundant Deployment:         │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Fault Domain 0:  │ │    │  │Zone 1 (East US):              ││
│ │├─ VM1 (Rack A)  │ │    │  │├─ VM1 (Datacenter A)           ││
│ │└─ VM3 (Rack A)  │ │    │  │└─ Load Balancer Frontend       ││
│ │                 │ │    │  │                                ││
│ │Fault Domain 1:  │ │    │  │Zone 2 (East US):              ││
│ │├─ VM2 (Rack B)  │ │───►│  │├─ VM2 (Datacenter B)           ││
│ │└─ VM4 (Rack B)  │ │    │  │└─ Load Balancer Frontend       ││
│ │                 │ │    │  │                                ││
│ │Update Domain 0: │ │    │  │Zone 3 (East US):              ││
│ │├─ VM1, VM2      │ │    │  │├─ VM3 (Datacenter C)           ││
│ │Update Domain 1: │ │    │  │└─ Load Balancer Frontend       ││
│ │├─ VM3, VM4      │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Zone Benefits:                     │
│ SLA: 99.95%         │    │  ┌─────────────────────────────────┐│
└─────────────────────┘    │  │📍 Physical separation          ││
                           │  │⚡ Independent power/cooling    ││
┌─────────────────────┐    │  │🌐 Separate network infrastructure││
│   🔄 SCALE SETS      │───►│  │🎯 SLA: 99.99%                 ││
│                     │    │  └─────────────────────────────────┘│
│ Auto-scaling Config:│    └─────────────────────────────────────┘
│ ┌─────────────────┐ │    
│ │Min Instances: 2 │ │    ┌─────────────────────────────────────┐
│ │Max Instances: 10│ │    │         📊 FAILURE SCENARIOS        │
│ │Scale Triggers:  │ │    │                                     │
│ │├─ CPU > 70%     │ │    │  Hardware Failure:                  │
│ │├─ Memory > 80%  │ │    │  ┌─────────────────────────────────┐│
│ │└─ Queue length  │ │───►│  │🔧 Availability Set: Protect     ││
│ │                 │ │    │  │   against rack failures         ││
│ │Health Probes:   │ │    │  │🌍 Availability Zone: Protect    ││
│ │├─ HTTP:80/health│ │    │  │   against datacenter failures   ││
│ │└─ TCP:443       │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Planned Maintenance:               │
│ VMSS Benefits:      │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │⏰ Update Domains: Sequential    ││
│ │⚡ Auto-scaling  │ │    │  │   updates prevent full outage   ││
│ │💰 Cost efficient│ │    │  │🔄 Rolling updates maintain     ││
│ │🔄 Load balancing│ │    │  │   service availability          ││
│ │🛠️ Easy management│    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘

Availability Commands:
────────────────────────
az vm availability-set create --name myAvailSet --resource-group myRG
az vm create --availability-set myAvailSet --availability-zone 1
az vmss create --name myScaleSet --vm-sku Standard_B2s --instance-count 3

Study this concept interactively in the AZ-104 app →

Portal VM Management

Explanation

**Explanation**: Azure Portal graphical interface for creating, configuring, and managing Virtual Machines. Provides visual workflow for VM deployment, monitoring dashboards, and administrative operations.

Examples

**Examples**: Creating VMs through Portal wizard, viewing performance metrics, managing disks and networking, configuring availability options.

Enterprise Use Case

**Use Case**: Visual VM management, quick deployments, monitoring and troubleshooting, and operations teams who prefer GUI interfaces.

Diagram

**Visual**: 
🎨 Azure Portal VM Management Interface:

┌─────────────────────────────────────────────────────────────────┐
│                    🖥️ PORTAL VM DASHBOARD                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🚀 VM CREATION     │    │         📊 VM MONITORING            │
│                     │    │                                     │
│ Creation Wizard:    │    │  Performance Metrics:               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Step 1: Basics   │ │    │  │CPU Usage: [████████░░] 78%     ││
│ │├─ VM name       │ │    │  │Memory: [██████░░░░] 65%        ││
│ │├─ Image         │ │    │  │Disk IOPS: 1,234/sec           ││
│ │├─ Size          │ │    │  │Network In: 15.2 MB/s          ││
│ │└─ Auth          │ │    │  │Network Out: 8.7 MB/s          ││
│ │                 │ │    │  └─────────────────────────────────┘│
│ │Step 2: Disks    │ │    │                                     │
│ │├─ OS disk       │ │    │  Resource Health:                   │
│ │├─ Data disks    │ │    │  ┌─────────────────────────────────┐│
│ │└─ Disk type     │ │───►│  │Status: ✅ Running                ││
│ │                 │ │    │  │Boot Diagnostics: ✅ Enabled     ││
│ │Step 3: Network  │ │    │  │Last Backup: 2 hours ago        ││
│ │├─ VNet          │ │    │  │Availability: 99.95%            ││
│ │├─ Subnet        │ │    │  └─────────────────────────────────┘│
│ │├─ Public IP     │ │    │                                     │
│ │└─ NSG           │ │    │  Recent Activity:                   │
│ │                 │ │    │  ┌─────────────────────────────────┐│
│ │Step 4: Mgmt     │ │    │  │10:30 - VM restarted            ││
│ │├─ Monitoring    │ │    │  │09:15 - Disk attached           ││
│ │├─ Backup        │ │    │  │08:45 - NSG rule updated        ││
│ │└─ Auto-shutdown │ │    │  │08:30 - Performance alert       ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🔧 VM MANAGEMENT ACTIONS                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🎛️ POWER CONTROLS  │    │         💽 DISK OPERATIONS          │
│                     │    │                                     │
│ VM States:          │    │  Disk Management:                   │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │▶️ Start VM       │ │    │  │➕ Add Data Disk                ││
│ │⏸️ Stop VM        │ │    │  │📸 Create Snapshot              ││
│ │🔄 Restart VM     │ │    │  │💾 Change Disk Type             ││
│ │💾 Capture Image  │ │    │  │🔧 Resize Disk                  ││
│ │🗑️ Delete VM      │ │    │  │🔓 Enable Encryption            ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Connect Options:    │    │  Backup Configuration:              │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │🖥️ RDP (Windows) │ │    │  │📅 Daily backup at 2 AM         ││
│ │🖥️ SSH (Linux)   │ │───►│  │🗄️ Recovery Services Vault      ││
│ │🌐 Bastion       │ │    │  │📈 Backup retention: 30 days    ││
│ │📱 Serial Console│ │    │  │💰 Backup cost: $15/month       ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Portal Benefits:
──────────────────
🎯 Guided wizards for easy setup
📊 Rich monitoring and alerting
🔧 Point-and-click management
👥 Suitable for all skill levels
🎨 Visual resource relationships

Study this concept interactively in the AZ-104 app →

CLI VM Management

Explanation

**Explanation**: Azure CLI commands for creating, configuring, and managing Virtual Machines through command-line interface. Enables scriptable, automated VM operations and infrastructure as code.

Examples

**Examples**: Creating VMs with az vm create, managing VM sizes, configuring extensions, automating deployments through scripts.

Enterprise Use Case

**Use Case**: DevOps automation, CI/CD pipelines, infrastructure as code, batch VM operations, and programmatic VM management.

Diagram

**Visual**: 
🎨 Azure CLI VM Command Reference:

┌─────────────────────────────────────────────────────────────────┐
│                    💻 CLI VM OPERATIONS                        │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🚀 VM CREATION     │    │         🔧 VM MANAGEMENT            │
│                     │    │                                     │
│ Basic VM Creation:  │    │  VM Operations:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │az vm create \   │ │    │  │# Start/Stop/Restart VM          ││
│ │  --resource-     │ │    │  │az vm start --name myVM         ││
│ │   group myRG \  │ │    │  │az vm stop --name myVM          ││
│ │  --name myVM \  │ │    │  │az vm restart --name myVM       ││
│ │  --image Ubuntu  │ │    │  │                                ││
│ │  --admin-        │ │    │  │# Resize VM                     ││
│ │   username admin │ │    │  │az vm resize --name myVM \     ││
│ │  --generate-     │ │    │  │  --size Standard_B2s           ││
│ │   ssh-keys       │ │    │  │                                ││
│ └─────────────────┘ │    │  │# Get VM info                   ││
│                     │    │  │az vm show --name myVM \       ││
│ Advanced Options:   │    │  │  --query powerState            ││
│ ┌─────────────────┐ │    │  └─────────────────────────────────┘│
│ │--size Standard  │ │    │                                     │
│ │ _B2s \          │ │    │  Disk Operations:                   │
│ │--os-disk-size   │ │    │  ┌─────────────────────────────────┐│
│ │ 64 \            │ │───►│  │# Attach data disk               ││
│ │--data-disk-     │ │    │  │az vm disk attach \             ││
│ │ sizes-gb 128 \  │ │    │  │  --vm-name myVM \              ││
│ │--vnet-name      │ │    │  │  --name myDataDisk \           ││
│ │ myVNet \        │ │    │  │  --size-gb 64                   ││
│ │--subnet mySubnet │ │    │  │                                ││
│ │--nsg myNSG \    │ │    │  │# Create VM snapshot             ││
│ │--public-ip ""   │ │    │  │az snapshot create \            ││
│ └─────────────────┘ │    │  │  --name mySnapshot \           ││
└─────────────────────┘    │  │  --source-disk myVM_OsDisk_1    ││
                           │  └─────────────────────────────────┘│
┌─────────────────────┐    └─────────────────────────────────────┘
│   📋 BULK OPERATIONS │    
│                     │    ┌─────────────────────────────────────┐
│ Create Multiple VMs:│    │         🔍 VM MONITORING            │
│ ┌─────────────────┐ │    │                                     │
│ │for i in {1..5}  │ │    │  Performance Metrics:               │
│ │do               │ │    │  ┌─────────────────────────────────┐│
│ │  az vm create \ │ │    │  │# List VM metrics               ││
│ │    --name vm$i  │ │    │  │az monitor metrics list \       ││
│ │    --resource-  │ │───►│  │  --resource myVM \             ││
│ │     group myRG  │ │    │  │  --metric "CPU Percentage"      ││
│ │    --image      │ │    │  │                                ││
│ │     Ubuntu2204  │ │    │  │# VM boot diagnostics           ││
│ │done             │ │    │  │az vm boot-diagnostics get-     ││
│ └─────────────────┘ │    │  │ boot-log --name myVM           ││
│                     │    │  │                                ││
│ Conditional Logic: │    │  │# VM run command                ││
│ ┌─────────────────┐ │    │  │az vm run-command invoke \     ││
│ │if [VM_EXISTS];  │ │    │  │  --name myVM \                ││
│ │then UPDATE;     │ │    │  │  --command-id RunShellScript   ││
│ │else CREATE;     │ │    │  │  --scripts "df -h"             ││
│ │fi               │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘

CLI Benefits:
───────────────
⚡ Fast execution and automation
📝 Scriptable and repeatable
🔄 CI/CD pipeline integration
💻 Cross-platform compatibility
🎯 Precise control over resources

Study this concept interactively in the AZ-104 app →

PowerShell VM Management

Explanation

**Explanation**: Azure PowerShell cmdlets for creating, configuring, and managing Virtual Machines. Provides object-oriented approach to VM automation with rich scripting capabilities.

Examples

**Examples**: Creating VMs with New-AzVM, managing configurations with PowerShell objects, automating complex deployments.

Enterprise Use Case

**Use Case**: Windows-centric environments, complex automation scenarios, enterprise PowerShell workflows, and advanced VM management tasks.

Diagram

**Visual**: 
🎨 Azure PowerShell VM Commands:

┌─────────────────────────────────────────────────────────────────┐
│                    ⚡ POWERSHELL VM OPERATIONS                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🏗️ VM CONSTRUCTION │    │         🎛️ VM ADMINISTRATION        │
│                     │    │                                     │
│ VM Configuration:   │    │  Power Management:                  │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │$vm = New-AzVM   │ │    │  │# Start VM                       ││
│ │ Config \        │ │    │  │Start-AzVM -ResourceGroupName   ││
│ │  -VMName "myVM" │ │    │  │ "myRG" -Name "myVM"            ││
│ │  -VMSize        │ │    │  │                                ││
│ │   "Standard_B2s"│ │    │  │# Stop VM (deallocate)          ││
│ │                 │ │    │  │Stop-AzVM -ResourceGroupName    ││
│ │$vm = Set-AzVM   │ │    │  │ "myRG" -Name "myVM" -Force     ││
│ │ OperatingSystem │ │    │  │                                ││
│ │  -VM $vm \      │ │    │  │# Restart VM                    ││
│ │  -Windows \     │ │    │  │Restart-AzVM -ResourceGroupName ││
│ │  -Credential    │ │    │  │ "myRG" -Name "myVM"            ││
│ │   $cred         │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  VM Information:                    │
│ Quick Creation:     │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │# Get VM details                 ││
│ │New-AzVM \       │ │───►│  │Get-AzVM -ResourceGroupName      ││
│ │ -ResourceGroup  │ │    │  │ "myRG" -Name "myVM" | Select   ││
│ │  "myRG" \       │ │    │  │ Name, PowerState, Location     ││
│ │ -Name "myVM" \  │ │    │  │                                ││
│ │ -Location       │ │    │  │# Get VM sizes available        ││
│ │  "East US" \    │ │    │  │Get-AzVMSize -Location          ││
│ │ -Image          │ │    │  │ "East US" | Where-Object       ││
│ │  "Win2022       │ │    │  │ {$_.Name -like "*B2*"}         ││
│ │  Datacenter"    │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘    

┌─────────────────────────────────────────────────────────────────┐
│                    💽 DISK & NETWORK MANAGEMENT                │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   💾 DISK OPERATIONS │    │         🌐 NETWORK CONFIG           │
│                     │    │                                     │
│ Add Data Disk:      │    │  Update NIC Settings:               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │$vm = Get-AzVM   │ │    │  │# Get network interface          ││
│ │ -ResourceGroup  │ │    │  │$nic = Get-AzNetworkInterface    ││
│ │  "myRG" \       │ │    │  │ -ResourceGroupName "myRG" \    ││
│ │ -Name "myVM"    │ │    │  │ -Name "myVM-nic"               ││
│ │                 │ │    │  │                                ││
│ │$dataDisk = New- │ │    │  │# Update private IP to static   ││
│ │ AzVMDataDisk \  │ │    │  │$nic.IpConfigurations[0].      ││
│ │ -Name "dataDisk"│ │    │  │ PrivateIpAllocationMethod =    ││
│ │ -DiskSizeInGB   │ │    │  │ "Static"                       ││
│ │  128 \          │ │───►│  │                                ││
│ │ -CreateOption   │ │    │  │$nic.IpConfigurations[0].      ││
│ │  Empty          │ │    │  │ PrivateIpAddress = "10.0.1.10" ││
│ │                 │ │    │  │                                ││
│ │$vm = Add-AzVM   │ │    │  │Set-AzNetworkInterface -        ││
│ │ DataDisk -VM $vm│ │    │  │ NetworkInterface $nic          ││
│ │ -DataDisk       │ │    │  │                                ││
│ │  $dataDisk      │ │    │  │Update-AzVM -ResourceGroupName  ││
│ │                 │ │    │  │ "myRG" -VM $vm                ││
│ │Update-AzVM -    │ │    │  └─────────────────────────────────┘│
│ │ ResourceGroup   │ │    └─────────────────────────────────────┘
│ │  "myRG" -VM $vm │ │    
│ └─────────────────┘ │    ┌─────────────────────────────────────┐
└─────────────────────┘    │         📊 ADVANCED SCENARIOS       │
                           │                                     │
┌─────────────────────┐    │  Bulk VM Operations:                │
│   🔄 AUTOMATION      │───►│  ┌─────────────────────────────────┐│
│                     │    │  │# Create multiple VMs            ││
│ Script Variables:   │    │  │1..5 | ForEach-Object {          ││
│ ┌─────────────────┐ │    │  │  New-AzVM -ResourceGroupName    ││
│ │$resourceGroup = │ │    │  │   "myRG" -Name "vm$_" -Location ││
│ │ "myRG"          │ │    │  │   "East US" -Image "Ubuntu2204" ││
│ │$location =      │ │    │  │}                                ││
│ │ "East US"       │ │    │  │                                ││
│ │$vmSize =        │ │    │  │# Conditional VM creation        ││
│ │ "Standard_B2s"  │ │    │  │if (!(Get-AzVM -Name "myVM"     ││
│ │                 │ │    │  │ -ResourceGroupName "myRG"       ││
│ │$vmNames = @(    │ │    │  │ -ErrorAction SilentlyContinue))││
│ │ "web01", "web02"│ │    │  │{New-AzVM ...}                  ││
│ │ "db01"          │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘

PowerShell Benefits:
──────────────────────
🏢 Enterprise PowerShell integration
🎯 Object-oriented management
📊 Rich scripting capabilities
🔄 Complex automation scenarios
💪 Windows-native environment

Study this concept interactively in the AZ-104 app →

App Service Backup

Explanation

**Explanation**: Automated backup service for Azure App Service applications including application files, configuration, and database content. Provides point-in-time recovery and scheduled backup capabilities.

Examples

**Examples**: Daily automated backups, on-demand backups before deployments, database backup integration, cross-region backup storage.

Enterprise Use Case

**Use Case**: Disaster recovery, accidental data loss protection, compliance requirements, and safe deployment practices.

Diagram

**Visual**: 
🎨 App Service Backup Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    💾 BACKUP CONFIGURATION                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📅 BACKUP SCHEDULE │    │         🗄️ BACKUP CONTENTS          │
│                     │    │                                     │
│ Automatic Backups:  │    │  Application Data:                  │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Daily: 2:00 AM   │ │    │  │📁 Application files (/site/wwwroot)││
│ │Weekly: Sunday   │ │    │  │⚙️ Configuration settings        ││
│ │Monthly: 1st     │ │    │  │📜 Web.config / app settings    ││
│ │Retention: 30d   │ │    │  │🔑 Connection strings           ││
│ └─────────────────┘ │    │  │📱 SSL certificates             ││
│                     │    │  └─────────────────────────────────┘│
│ On-Demand Backups: │    │                                     │
│ ┌─────────────────┐ │    │  Database Integration:              │
│ │Before Deploy    │ │    │  ┌─────────────────────────────────┐│
│ │Before Config    │ │───►│  │🗃️ SQL Database backup           ││
│ │Critical Updates │ │    │  │🍃 MySQL backup                 ││
│ │Manual Snapshot  │ │    │  │📊 Custom database scripts      ││
│ └─────────────────┘ │    │  │⚡ Automatic DB discovery        ││
│                     │    │  └─────────────────────────────────┘│
│ Backup Frequency:   │    │                                     │
│ ┌─────────────────┐ │    │  Exclusions:                        │
│ │Every 1 hour     │ │    │  ┌─────────────────────────────────┐│
│ │Every 6 hours    │ │    │  │📝 Log files (*.log)            ││
│ │Every 12 hours   │ │    │  │🗃️ Temp directories (/temp)     ││
│ │Every 24 hours   │ │    │  │💾 Cache files (/cache)         ││
│ │Custom schedule  │ │    │  │🎯 User-defined patterns        ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 RESTORE OPERATIONS                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 RESTORE OPTIONS │    │         ⚠️ RESTORE PROCESS           │
│                     │    │                                     │
│ Restore Targets:    │    │  Restore Steps:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │🔄 Same App      │ │    │  │1️⃣ Select backup point          ││
│ │🆕 New App       │ │    │  │2️⃣ Choose restore target        ││
│ │🎯 Specific Slot │ │    │  │3️⃣ Configure overwrite options  ││
│ │📁 Partial Data  │ │    │  │4️⃣ Validate dependencies        ││
│ └─────────────────┘ │    │  │5️⃣ Execute restore operation    ││
│                     │    │  └─────────────────────────────────┘│
│ Restore Scope:      │    │                                     │
│ ┌─────────────────┐ │    │  Restore Validation:                │
│ │📱 App only      │ │    │  ┌─────────────────────────────────┐│
│ │🗃️ Database only │ │───►│  │✅ Configuration compatibility   ││
│ │🎯 Full restore  │ │    │  │✅ Database schema validation    ││
│ │⚙️ Config only   │ │    │  │✅ File integrity check         ││
│ └─────────────────┘ │    │  │✅ SSL certificate validity     ││
│                     │    │  └─────────────────────────────────┘│
│ Point-in-Time:      │    │                                     │
│ ┌─────────────────┐ │    │  Post-Restore Actions:              │
│ │📅 Specific date │ │    │  ┌─────────────────────────────────┐│
│ │⏰ Exact time    │ │    │  │🔄 App restart required         ││
│ │📸 Snapshot name │ │    │  │🔍 Validation testing           ││
│ │🏷️ Backup label  │ │    │  │📊 Performance monitoring       ││
│ └─────────────────┘ │    │  │📝 Restore log review           ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Backup Commands:
──────────────────
az webapp config backup update --backup-name daily --container-url https://storage/container --backup-schedule
az webapp config backup restore --backup-name daily --target-name myapp-restored

Study this concept interactively in the AZ-104 app →

Portal VM Scale Sets

Explanation

**Explanation**: Azure Portal interface for creating and managing Virtual Machine Scale Sets. Provides visual configuration for auto-scaling, load balancing, and instance management.

Examples

**Examples**: Creating scale sets through Portal wizard, configuring auto-scale rules, monitoring instance health, managing rolling updates.

Enterprise Use Case

**Use Case**: Visual scale set management, quick scaling deployments, monitoring dashboards, and operations teams using GUI interfaces.

Diagram

**Visual**: 
🎨 Portal VM Scale Set Management:

┌─────────────────────────────────────────────────────────────────┐
│                    🎼 SCALE SET DASHBOARD                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🚀 CREATION WIZARD │    │         📊 MONITORING VIEW          │
│                     │    │                                     │
│ Step 1: Basics      │    │  Current Metrics:                   │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Scale Set Name   │ │    │  │Instance Count: [██████░░] 6/10  ││
│ │Region: East US  │ │    │  │CPU Average: [████░░░░] 45%     ││
│ │Orchestration    │ │    │  │Memory Usage: [███░░░░░] 32%    ││
│ │├─ Uniform       │ │    │  │Network I/O: 25.6 MB/s         ││
│ │└─ Flexible      │ │    │  │Health Status: ✅ 6 Healthy     ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Step 2: Instance    │    │  Instance List:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │VM Image: Ubuntu │ │    │  │🖥️ web-vm-0: Running (Zone 1)   ││
│ │VM Size: B2s     │ │    │  │🖥️ web-vm-1: Running (Zone 2)   ││
│ │Initial Count: 3 │ │───►│  │🖥️ web-vm-2: Running (Zone 3)   ││
│ │Max Count: 10    │ │    │  │🖥️ web-vm-3: Running (Zone 1)   ││
│ │Authentication   │ │    │  │🖥️ web-vm-4: Starting (Zone 2)  ││
│ └─────────────────┘ │    │  │🖥️ web-vm-5: Starting (Zone 3)  ││
│                     │    │  └─────────────────────────────────┘│
│ Step 3: Networking  │    │                                     │
│ ┌─────────────────┐ │    │  Recent Events:                     │
│ │Virtual Network  │ │    │  ┌─────────────────────────────────┐│
│ │Load Balancer    │ │    │  │10:45 - Scale out triggered     ││
│ │Public IP        │ │    │  │10:44 - CPU threshold exceeded  ││
│ │Health Probes    │ │    │  │10:30 - Instance web-vm-4 added ││
│ └─────────────────┘ │    │  │10:15 - Health check passed     ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    ⚖️ AUTO-SCALING CONFIGURATION               │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📈 SCALE OUT RULES │    │         📉 SCALE IN RULES           │
│                     │    │                                     │
│ CPU-Based Scaling:  │    │  Scale In Triggers:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Metric: CPU %    │ │    │  │CPU < 30% for 5 minutes        ││
│ │Threshold: > 70% │ │    │  │Memory < 40% for 10 minutes     ││
│ │Duration: 5 min  │ │    │  │Queue length < 10 messages      ││
│ │Action: +2 VMs   │ │    │  │Low network activity            ││
│ │Cooldown: 10 min │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Scale In Actions:                  │
│ Custom Metrics:     │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │Remove: 1 VM at a time         ││
│ │Queue Length     │ │───►│  │Cooldown: 15 minutes            ││
│ │Active Sessions  │ │    │  │Instance Selection: Newest first││
│ │Response Time    │ │    │  │Minimum Instances: 2            ││
│ │Custom App Metric│ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Safety Limits:                     │
│ Schedule-Based:     │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │Maximum Instances: 10            ││
│ │Business Hours   │ │    │  │Minimum Instances: 2            ││
│ │9 AM - 6 PM: 5   │ │    │  │Scale Rate Limit: 20% per hour  ││
│ │Peak Times: 8    │ │    │  │Health Grace Period: 5 minutes  ││
│ │Off Hours: 2     │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘

Portal Benefits for VMSS:
───────────────────────────
🎨 Visual auto-scaling rule setup
📊 Real-time instance monitoring  
🔧 Point-and-click configuration
🎯 Guided scaling policy creation
📈 Interactive scaling charts

Study this concept interactively in the AZ-104 app →

CLI VM Scale Sets

Explanation

**Explanation**: Azure CLI commands for creating, configuring, and managing Virtual Machine Scale Sets through command-line interface. Enables automated scaling operations and infrastructure as code for scale sets.

Examples

**Examples**: Creating scale sets with az vmss create, managing instances, configuring auto-scaling rules, performing rolling updates.

Enterprise Use Case

**Use Case**: DevOps automation, CI/CD pipeline integration, infrastructure as code, automated scaling operations, and programmatic VMSS management.

Diagram

**Visual**: 
🎨 Azure CLI VM Scale Set Commands:

┌─────────────────────────────────────────────────────────────────┐
│                    💻 CLI VMSS OPERATIONS                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🚀 VMSS CREATION   │    │         ⚖️ SCALING OPERATIONS        │
│                     │    │                                     │
│ Basic VMSS Creation:│    │  Manual Scaling:                    │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │az vmss create \ │ │    │  │# Scale out (add instances)      ││
│ │  --resource-     │ │    │  │az vmss scale \                 ││
│ │   group myRG \  │ │    │  │  --name myVMSS \               ││
│ │  --name myVMSS \│ │    │  │  --new-capacity 8               ││
│ │  --image Ubuntu  │ │    │  │                                ││
│ │  --vm-sku        │ │    │  │# Scale in (remove instances)   ││
│ │   Standard_B2s \ │ │    │  │az vmss scale \                 ││
│ │  --instance-count│ │    │  │  --name myVMSS \               ││
│ │   3 \            │ │    │  │  --new-capacity 2               ││
│ │  --admin-username│ │    │  └─────────────────────────────────┘│
│ │   azureuser      │ │    │                                     │
│ └─────────────────┘ │    │  Auto-scaling Configuration:        │
│                     │    │  ┌─────────────────────────────────┐│
│ Advanced Options:   │    │  │az monitor autoscale create \   ││
│ ┌─────────────────┐ │    │  │  --resource-group myRG \       ││
│ │--load-balancer  │ │───►│  │  --resource myVMSS \           ││
│ │ myLB \          │ │    │  │  --min-count 2 \               ││
│ │--backend-pool   │ │    │  │  --max-count 10 \              ││
│ │ myPool \        │ │    │  │  --count 3                      ││
│ │--zones 1 2 3 \  │ │    │  │                                ││
│ │--upgrade-policy │ │    │  │# Add scale rule                ││
│ │ Automatic \     │ │    │  │az monitor autoscale rule \     ││
│ │--health-probe   │ │    │  │  create --condition             ││
│ │ myProbe         │ │    │  │  "CPU > 70" --scale out 2       ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🔧 VMSS MANAGEMENT                          │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 INSTANCE MGMT   │    │         🔄 UPDATE OPERATIONS        │
│                     │    │                                     │
│ List Instances:     │    │  Rolling Updates:                   │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │az vmss list-    │ │    │  │# Update VMSS model              ││
│ │ instances \     │ │    │  │az vmss update \                ││
│ │  --name myVMSS  │ │    │  │  --name myVMSS \               ││
│ │  --query "[].{  │ │    │  │  --set upgradePolicy.mode=      ││
│ │   Name:name,    │ │    │  │   Automatic                     ││
│ │   State:provisi │ │    │  │                                ││
│ │   oningState}"  │ │    │  │# Manual instance updates       ││
│ └─────────────────┘ │    │  │az vmss update-instances \      ││
│                     │    │  │  --name myVMSS \               ││
│ Instance Operations:│    │  │  --instance-ids 0 1 2           ││
│ ┌─────────────────┐ │    │  └─────────────────────────────────┘│
│ │# Restart        │ │    │                                     │
│ │az vmss restart \│ │───►│  Image Updates:                     │
│ │  --instance-ids │ │    │  ┌─────────────────────────────────┐│
│ │   0 1 2         │ │    │  │# Change VM image                ││
│ │                 │ │    │  │az vmss update \                ││
│ │# Deallocate     │ │    │  │  --name myVMSS \               ││
│ │az vmss          │ │    │  │  --set virtualMachineProfile.  ││
│ │ deallocate \    │ │    │  │   storageProfile.imageReference ││
│ │  --instance-ids │ │    │  │   .version=latest               ││
│ │   3 4           │ │    │  │                                ││
│ │                 │ │    │  │# Apply to all instances        ││
│ │# Delete         │ │    │  │az vmss update-instances \      ││
│ │az vmss delete-  │ │    │  │  --name myVMSS \               ││
│ │ instances \     │ │    │  │  --instance-ids "*"             ││
│ │  --instance-ids │ │    │  └─────────────────────────────────┘│
│ │   5             │ │    └─────────────────────────────────────┘
│ └─────────────────┘ │    
└─────────────────────┘    ┌─────────────────────────────────────┐
                           │         📊 MONITORING & LOGS       │
┌─────────────────────┐    │                                     │
│   🛠️ EXTENSIBILITY   │───►│  Health Monitoring:                 │
│                     │    │  ┌─────────────────────────────────┐│
│ Extensions:         │    │  │az vmss get-instance-view \     ││
│ ┌─────────────────┐ │    │  │  --name myVMSS                  ││
│ │az vmss extension│ │    │  │                                ││
│ │ set \           │ │    │  │# Check application health      ││
│ │  --vmss-name    │ │    │  │az vmss show \                  ││
│ │   myVMSS \      │ │    │  │  --name myVMSS \               ││
│ │  --name Custom  │ │    │  │  --query "virtualMachineProfile││
│ │   Script \      │ │    │  │   .extensionProfile"           ││
│ │  --settings     │ │    │  └─────────────────────────────────┘│
│ │   script.sh     │ │    │                                     │
│ └─────────────────┘ │    │  Activity Logs:                     │
│                     │    │  ┌─────────────────────────────────┐│
│ Application Health: │    │  │az monitor activity-log list \  ││
│ ┌─────────────────┐ │    │  │  --resource-group myRG \       ││
│ │az vmss update \ │ │    │  │  --resource-type Microsoft.    ││
│ │  --name myVMSS \│ │    │  │   Compute/virtualMachineScale  ││
│ │  --enable-      │ │    │  │   Sets --max-events 50         ││
│ │   automatic-    │ │    │  └─────────────────────────────────┘│
│ │   repairs       │ │    └─────────────────────────────────────┘
│ └─────────────────┘ │    
└─────────────────────┘

CLI VMSS Benefits:
─────────────────────
⚡ Automated scaling operations
📝 Infrastructure as code workflows
🔄 CI/CD pipeline integration  
🎯 Precise instance control
📊 Scriptable monitoring and management

Study this concept interactively in the AZ-104 app →

PowerShell VM Scale Sets

Explanation

**Explanation**: Azure PowerShell cmdlets for creating, configuring, and managing Virtual Machine Scale Sets. Provides object-oriented approach to VMSS automation with advanced scripting capabilities.

Examples

**Examples**: Creating VMSS with New-AzVmss, managing scaling policies, configuring load balancers, automating instance operations.

Enterprise Use Case

**Use Case**: Windows-centric environments, enterprise automation, complex VMSS deployments, and advanced PowerShell workflows.

Diagram

**Visual**: 
🎨 Azure PowerShell VM Scale Set Operations:

┌─────────────────────────────────────────────────────────────────┐
│                    ⚡ POWERSHELL VMSS OPERATIONS               │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🏗️ VMSS CONSTRUCTION│   │         ⚖️ SCALING MANAGEMENT       │
│                     │    │                                     │
│ Configuration Build:│    │  Manual Scaling:                    │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │# Create config  │ │    │  │# Scale to specific capacity     ││
│ │$vmssConfig = New│ │    │  │Update-AzVmss \                 ││
│ │ -AzVmssConfig \ │ │    │  │  -ResourceGroupName "myRG" \   ││
│ │  -Location      │ │    │  │  -VMScaleSetName "myVMSS" \    ││
│ │   "East US" \   │ │    │  │  -Capacity 8                    ││
│ │  -SkuCapacity 3 │ │    │  │                                ││
│ │  -SkuName       │ │    │  │# Get current capacity          ││
│ │   "Standard_B2s"│ │    │  │$vmss = Get-AzVmss \           ││
│ │                 │ │    │  │  -ResourceGroupName "myRG" \   ││
│ │# Set OS Profile │ │    │  │  -VMScaleSetName "myVMSS"      ││
│ │$vmssConfig = Set│ │    │  │Write-Host "Capacity: $($vmss.  ││
│ │ -AzVmssOSProfile│ │    │  │ Sku.Capacity)"                 ││
│ │  -VirtualMachine│ │    │  └─────────────────────────────────┘│
│ │   ScaleSetConfig│ │    │                                     │
│ │   $vmssConfig \ │ │    │  Auto-scaling Rules:                │
│ │  -AdminUsername │ │    │  ┌─────────────────────────────────┐│
│ │   "azureuser"   │ │───►│  │# Create autoscale setting      ││
│ └─────────────────┘ │    │  │$autoscaleSetting = New-        ││
│                     │    │  │ AzAutoscaleSetting \           ││
│ Network Config:     │    │  │  -ResourceGroupName "myRG" \   ││
│ ┌─────────────────┐ │    │  │  -Name "myAutoscale" \         ││
│ │# Create subnet  │ │    │  │  -Location "East US" \         ││
│ │$subnet = New-Az │ │    │  │  -Profile $profile              ││
│ │ VirtualNetwork  │ │    │  │                                ││
│ │ SubnetConfig \ │ │    │  │# Add scale rule                ││
│ │  -Name "default"│ │    │  │$scaleRule = New-AzAutoscale    ││
│ │  -AddressPrefix │ │    │  │ Rule -MetricName "CPU %" \     ││
│ │   "10.0.1.0/24" │ │    │  │  -Operator GreaterThan \       ││
│ │                 │ │    │  │  -Threshold 70 \               ││
│ │$vnet = New-Az   │ │    │  │  -ScaleActionDirection Increase││
│ │ VirtualNetwork \│ │    │  │  -ScaleActionType ChangeCount  ││
│ │  -ResourceGroup │ │    │  │  -ScaleActionValue 2            ││
│ │   Name "myRG" \│ │    │  └─────────────────────────────────┘│
│ │  -Name "myVNet" │ │    └─────────────────────────────────────┘
│ └─────────────────┘ │    
└─────────────────────┘    ┌─────────────────────────────────────┐
                           │         🔧 INSTANCE OPERATIONS      │
┌─────────────────────┐    │                                     │
│   🚀 DEPLOYMENT      │───►│  Instance Management:               │
│                     │    │  ┌─────────────────────────────────┐│
│ Create VMSS:        │    │  │# Get instance details           ││
│ ┌─────────────────┐ │    │  │$instances = Get-AzVmssVM \     ││
│ │New-AzVmss \     │ │    │  │  -ResourceGroupName "myRG" \   ││
│ │  -ResourceGroup │ │    │  │  -VMScaleSetName "myVMSS"      ││
│ │   Name "myRG" \  │ │    │  │                                ││
│ │  -VMScaleSetName│ │    │  │$instances | ForEach-Object {   ││
│ │   "myVMSS" \    │ │    │  │  Write-Host "Instance $($_.    ││
│ │  -VirtualMachine│ │    │  │   InstanceId): $($_.Statuses[0]││
│ │   ScaleSetConfig│ │    │  │   .DisplayStatus)"              ││
│ │   $vmssConfig   │ │    │  │}                               ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Deployment Options: │    │  Bulk Operations:                   │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │# With load      │ │    │  │# Restart specific instances     ││
│ │# balancer       │ │    │  │Restart-AzVmss \                ││
│ │-LoadBalancerName│ │    │  │  -ResourceGroupName "myRG" \   ││
│ │ "myLB" \        │ │    │  │  -VMScaleSetName "myVMSS" \    ││
│ │                 │ │    │  │  -InstanceId @("0","1","2")     ││
│ │# With zones     │ │    │  │                                ││
│ │-Zone @("1","2", │ │    │  │# Update all instances          ││
│ │ "3") \          │ │    │  │Update-AzVmssInstance \         ││
│ │                 │ │    │  │  -ResourceGroupName "myRG" \   ││
│ │# Health probe   │ │    │  │  -VMScaleSetName "myVMSS" \    ││
│ │-HealthProbeId   │ │    │  │  -InstanceId "*"                ││
│ │ $probe.Id       │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘

🎨 Advanced PowerShell Scenarios:

Conditional Scaling Logic:
$currentLoad = (Get-AzMetric -ResourceId $vmssId -MetricName "CPU Percentage").Data | 
               Select-Object -Last 1
if ($currentLoad.Average -gt 80) {
    Update-AzVmss -Capacity ($vmss.Sku.Capacity + 2)
    Write-Host "Scaled out due to high CPU: $($currentLoad.Average)%"
}

Custom Health Monitoring:
$unhealthyInstances = Get-AzVmssVM -ResourceGroupName "myRG" -VMScaleSetName "myVMSS" | 
                     Where-Object {$_.Statuses[0].DisplayStatus -ne "VM running"}
if ($unhealthyInstances.Count -gt 0) {
    $unhealthyInstances | ForEach-Object {
        Restart-AzVmss -InstanceId $_.InstanceId
    }
}

PowerShell VMSS Benefits:
────────────────────────────
🏢 Enterprise PowerShell integration
🎯 Object-oriented resource management
📊 Advanced scripting and logic
🔄 Complex automation workflows
💪 Rich error handling and reporting

Study this concept interactively in the AZ-104 app →

AKS Active Directory Integration

Explanation

**Explanation**: Integration of Azure Kubernetes Service with Azure Active Directory for authentication and role-based access control. Enables enterprise identity management for Kubernetes clusters.

Examples

**Examples**: Configuring Azure AD authentication, implementing Kubernetes RBAC, managing user access, integrating with existing identity systems.

Enterprise Use Case

**Use Case**: Enterprise security requirements, centralized identity management, compliance with organizational policies, and secure multi-user Kubernetes environments.

Diagram

**Visual**: 
🎨 AKS Active Directory Integration Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🏢 ENTERPRISE IDENTITY INTEGRATION          │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🔐 AZURE AD TENANT │    │         ☸️ AKS CLUSTER              │
│                     │    │                                     │
│ Organization:       │    │  Cluster Configuration:             │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │👥 Users         │ │    │  │Cluster Name: prod-aks-cluster  ││
│ │├─ developers@   │ │    │  │AAD Enabled: ✅ Yes             ││
│ │├─ operators@    │ │    │  │Admin Group: k8s-cluster-admins ││
│ │└─ viewers@      │ │    │  │RBAC Enabled: ✅ Yes            ││
│ │                 │ │    │  └─────────────────────────────────┘│
│ │🏢 Groups        │ │    │                                     │
│ │├─ k8s-admins    │ │    │  Authentication Flow:               │
│ │├─ k8s-devs      │ │───►│  ┌─────────────────────────────────┐│
│ │├─ k8s-ops       │ │    │  │1️⃣ User runs kubectl command     ││
│ │└─ k8s-viewers   │ │    │  │2️⃣ AKS redirects to Azure AD    ││
│ │                 │ │    │  │3️⃣ User authenticates with AAD  ││
│ │🔑 Applications  │ │    │  │4️⃣ AAD issues token             ││
│ │├─ kubectl       │ │    │  │5️⃣ kubectl uses token for API   ││
│ │├─ dashboard     │ │    │  │6️⃣ AKS validates and authorizes ││
│ │└─ monitoring    │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    └─────────────────────────────────────┘
└─────────────────────┘    

┌─────────────────────────────────────────────────────────────────┐
│                    🛡️ RBAC AUTHORIZATION                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 ROLE DEFINITIONS│    │         🎯 ROLE BINDINGS            │
│                     │    │                                     │
│ Cluster Roles:      │    │  Admin Binding:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │🏛️ cluster-admin │ │    │  │apiVersion: rbac.authorization.  ││
│ │├─ * permissions │ │    │  │  k8s.io/v1                      ││
│ │└─ All resources │ │    │  │kind: ClusterRoleBinding         ││
│ │                 │ │    │  │metadata:                        ││
│ │👁️ view          │ │    │  │  name: aad-cluster-admins       ││
│ │├─ get, list     │ │    │  │roleRef:                         ││
│ │└─ Most resources│ │    │  │  name: cluster-admin            ││
│ │                 │ │    │  │subjects:                        ││
│ │✏️ edit          │ │───►│  │- kind: Group                    ││
│ │├─ create, update│ │    │  │  name: "k8s-cluster-admins"     ││
│ │├─ delete        │ │    │  │  apiGroup: rbac.authorization.  ││
│ │└─ Most resources│ │    │  │    k8s.io                       ││
│ │                 │ │    │  └─────────────────────────────────┘│
│ │🔧 Custom Roles  │ │    │                                     │
│ │├─ app-developer │ │    │  Namespace Binding:                 │
│ │├─ app-operator  │ │    │  ┌─────────────────────────────────┐│
│ │└─ db-admin      │ │    │  │apiVersion: rbac.authorization.  ││
│ └─────────────────┘ │    │  │  k8s.io/v1                      ││
└─────────────────────┘    │  │kind: RoleBinding                ││
                           │  │metadata:                        ││
┌─────────────────────┐    │  │  namespace: development         ││
│   🔧 ACCESS PATTERNS │───►│  │  name: dev-team-binding         ││
│                     │    │  │roleRef:                         ││
│ Development Team:   │    │  │  name: edit                     ││
│ ┌─────────────────┐ │    │  │subjects:                        ││
│ │Namespace: dev   │ │    │  │- kind: Group                    ││
│ │Role: edit       │ │    │  │  name: "k8s-developers"         ││
│ │Resources:       │ │    │  └─────────────────────────────────┘│
│ │├─ Pods          │ │    └─────────────────────────────────────┘
│ │├─ Services      │ │    
│ │├─ Deployments   │ │    ┌─────────────────────────────────────┐
│ │└─ ConfigMaps    │ │    │         🚀 SETUP COMMANDS           │
│ └─────────────────┘ │    │                                     │
│                     │    │  Enable AAD Integration:            │
│ Operations Team:    │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │# Create AKS with AAD            ││
│ │Namespace: *     │ │    │  │az aks create \                 ││
│ │Role: cluster-   │ │    │  │  --enable-aad \                ││
│ │ admin           │ │    │  │  --aad-admin-group-object-ids   ││
│ │Resources: All   │ │    │  │  $ADMIN_GROUP_ID \              ││
│ └─────────────────┘ │    │  │  --enable-azure-rbac            ││
└─────────────────────┘    │  │                                ││
                           │  │# Get AKS credentials            ││
                           │  │az aks get-credentials \        ││
                           │  │  --resource-group myRG \       ││
                           │  │  --name myAKSCluster            ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Integration Benefits:
───────────────────────
🏢 Centralized identity management
🔐 Strong authentication with MFA
👥 Group-based access control
📊 Audit logging and compliance
🛡️ Enterprise security standards

Study this concept interactively in the AZ-104 app →

VM Sizes and Generations

Explanation

**Explanation**: Azure Virtual Machine sizing options and hardware generations that determine CPU, memory, storage, and network performance characteristics. Different VM series are optimized for specific workloads.

Examples

**Examples**: B-series for burstable workloads, D-series for general purpose, F-series for compute-intensive tasks, M-series for memory-intensive applications.

Enterprise Use Case

**Use Case**: Performance optimization, cost management, workload-specific requirements, and matching resource needs to business demands.

Diagram

**Visual**: 
🎨 Azure VM Size Categories and Generations:

┌─────────────────────────────────────────────────────────────────┐
│                    🚗 VM SIZE CATEGORIES                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   ⚡ BURSTABLE (B)   │    │         🎯 GENERAL PURPOSE (D/DS)   │
│                     │    │                                     │
│ B-Series Features:  │    │  D-Series Features:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │💰 Low cost      │ │    │  │⚖️ Balanced CPU/memory ratio     ││
│ │📊 Variable perf │ │    │  │🔄 Consistent performance       ││
│ │🏦 CPU credits   │ │    │  │💾 SSD storage options          ││
│ │⏰ Baseline usage│ │    │  │🌐 Premium networking           ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Sizes Available:    │    │  Popular Sizes:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │B1s: 1 vCPU,     │ │    │  │D2s_v3: 2 vCPU, 8GB RAM        ││
│ │     0.5GB RAM   │ │───►│  │D4s_v3: 4 vCPU, 16GB RAM       ││
│ │B2s: 2 vCPU,     │ │    │  │D8s_v3: 8 vCPU, 32GB RAM       ││
│ │     4GB RAM     │ │    │  │D16s_v3: 16 vCPU, 64GB RAM     ││
│ │B4ms: 4 vCPU,    │ │    │  └─────────────────────────────────┘│
│ │      16GB RAM   │ │    │                                     │
│ └─────────────────┘ │    │  Use Cases:                         │
│                     │    │  ┌─────────────────────────────────┐│
│ Best For:           │    │  │🌐 Web applications              ││
│ ┌─────────────────┐ │    │  │📊 Business applications        ││
│ │🧪 Development   │ │    │  │🗄️ Database servers             ││
│ │🧪 Testing       │ │    │  │🎯 Enterprise workloads         ││
│ │🌐 Light web     │ │    │  └─────────────────────────────────┘│
│ │📧 Low traffic   │ │    └─────────────────────────────────────┘
│ └─────────────────┘ │    
└─────────────────────┘    ┌─────────────────────────────────────┐
                           │         🧠 MEMORY OPTIMIZED (M/E)   │
┌─────────────────────┐    │                                     │
│   🔥 COMPUTE (F/FX)  │───►│  Memory-Intensive Features:         │
│                     │    │  ┌─────────────────────────────────┐│
│ F-Series Features:  │    │  │🧠 High memory-to-CPU ratio     ││
│ ┌─────────────────┐ │    │  │⚡ Fast processors               ││
│ │🚀 High CPU      │ │    │  │💾 Large memory capacity        ││
│ │⚡ Fast processors│ │    │  │🔧 Enterprise workloads         ││
│ │💰 CPU optimized │ │    │  └─────────────────────────────────┘│
│ │🎯 Compute tasks │ │    │                                     │
│ └─────────────────┘ │    │  M-Series Examples:                 │
│                     │    │  ┌─────────────────────────────────┐│
│ Sizes Available:    │    │  │M64s: 64 vCPU, 1TB RAM         ││
│ ┌─────────────────┐ │    │  │M128s: 128 vCPU, 2TB RAM       ││
│ │F2s_v2: 2 vCPU,  │ │    │  │E64s_v3: 64 vCPU, 432GB RAM   ││
│ │        4GB RAM  │ │    │  │E96s_v5: 96 vCPU, 672GB RAM   ││
│ │F8s_v2: 8 vCPU,  │ │    │  └─────────────────────────────────┘│
│ │        16GB RAM │ │    │                                     │
│ │F72s_v2: 72 vCPU,│ │    │  Best For:                          │
│ │         144GB   │ │    │  ┌─────────────────────────────────┐│
│ └─────────────────┘ │    │  │🗄️ Large databases               ││
│                     │    │  │📊 Analytics workloads          ││
│ Best For:           │    │  │🧠 In-memory applications       ││
│ ┌─────────────────┐ │    │  │🏢 Enterprise applications      ││
│ │🔢 CPU intensive │ │    │  └─────────────────────────────────┘│
│ │🎮 Gaming        │ │    └─────────────────────────────────────┘
│ │🔬 Scientific    │ │    
│ │⚙️ Engineering   │ │    ┌─────────────────────────────────────┐
│ └─────────────────┘ │    │         🎨 SPECIALIZED SERIES       │
└─────────────────────┘    │                                     │
                           │  GPU Compute (NC/ND/NV):            │
                           │  ┌─────────────────────────────────┐│
                           │  │🖥️ GPU acceleration              ││
                           │  │🤖 Machine learning             ││
                           │  │🎨 Graphics workloads           ││
                           │  │🧬 Scientific computing         ││
                           │  └─────────────────────────────────┘│
                           │                                     │
                           │  Storage Optimized (L):             │
                           │  ┌─────────────────────────────────┐│
                           │  │💾 High disk throughput         ││
                           │  │🗄️ Big data applications        ││
                           │  │📊 Distributed analytics        ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

🎨 VM Generation Comparison:

v2 Generation:
├─ Older hardware platform
├─ Lower performance
├─ Standard networking
└─ Legacy support

v3 Generation:
├─ Intel Haswell processors
├─ Improved performance
├─ Enhanced networking
└─ Better price/performance

v4 Generation:
├─ Intel Cascade Lake
├─ Higher memory bandwidth
├─ Advanced networking
└─ Optimized for cloud

v5 Generation:
├─ Intel Ice Lake
├─ Latest processors
├─ Best performance
└─ Newest features

Sizing Commands:
───────────────────
az vm list-sizes --location "East US"
az vm list-skus --location "East US" --resource-type virtualMachines

Study this concept interactively in the AZ-104 app →

Provision App Service Plan

Explanation

**Explanation**: Creation and configuration of App Service Plans that define the compute resources and pricing tier for Azure App Services. App Service Plans determine the region, instance size, scale count, and features available.

Examples

**Examples**: Creating Free tier plans for development, Standard plans for production, Premium plans for high performance, configuring auto-scaling rules.

Enterprise Use Case

**Use Case**: Resource planning, cost optimization, performance management, and providing compute infrastructure for multiple web applications.

Diagram

**Visual**: 
🎨 App Service Plan Architecture and Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                    🏢 APP SERVICE PLAN HIERARCHY               │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📋 PLAN DEFINITION │    │         🖥️ COMPUTE RESOURCES        │
│                     │    │                                     │
│ Plan Configuration: │    │  Resource Allocation:               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Name: myPlan     │ │    │  │VM Instance Size:                ││
│ │Region: East US  │ │    │  │├─ Small (1 core, 1.75GB)       ││
│ │Resource Group   │ │    │  │├─ Medium (2 cores, 3.5GB)      ││
│ │Pricing Tier:    │ │    │  │├─ Large (4 cores, 7GB)         ││
│ │├─ Free (F1)     │ │    │  │└─ Extra Large (8 cores, 14GB)  ││
│ │├─ Shared (D1)   │ │    │  └─────────────────────────────────┘│
│ │├─ Basic (B1-3)  │ │    │                                     │
│ │├─ Standard (S1-3│ │    │  Instance Count:                    │
│ │├─ Premium (P1v2)│ │───►│  ┌─────────────────────────────────┐│
│ │└─ Isolated (I1) │ │    │  │Manual Scaling: 1-3 instances   ││
│ └─────────────────┘ │    │  │Auto Scaling: 1-10 instances    ││
│                     │    │  │Current Load: [██████░░] 60%    ││
│ Plan Features:      │    │  │Target CPU: Keep < 70%          ││
│ ┌─────────────────┐ │    │  │Scale Rules: Active             ││
│ │✅ SSL Support   │ │    │  └─────────────────────────────────┘│
│ │✅ Custom Domains│ │    │                                     │
│ │✅ Auto Scale    │ │    │  Network Configuration:             │
│ │✅ Staging Slots │ │    │  ┌─────────────────────────────────┐│
│ │✅ Daily Backups │ │    │  │VNet Integration: ✅ Enabled     ││
│ └─────────────────┘ │    │  │Private Endpoints: Available    ││
└─────────────────────┘    │  │Load Balancer: Automatic        ││
                           │  │SSL Offloading: ✅ Yes           ││
┌─────────────────────┐    │  └─────────────────────────────────┘│
│   📱 HOSTED APPS     │───►└─────────────────────────────────────┘
│                     │    
│ Apps in Plan:       │    ┌─────────────────────────────────────┐
│ ┌─────────────────┐ │    │         💰 PRICING BREAKDOWN        │
│ │🌐 webapp-prod   │ │    │                                     │
│ │├─ Production    │ │    │  Cost Analysis:                     │
│ │└─ High traffic  │ │    │  ┌─────────────────────────────────┐│
│ │                 │ │    │  │Free Tier (F1):                 ││
│ │🌐 webapp-stage  │ │    │  │├─ $0/month                      ││
│ │├─ Staging       │ │    │  │├─ 1GB storage                   ││
│ │└─ Testing       │ │    │  │└─ 60min CPU/day                 ││
│ │                 │ │    │  │                                ││
│ │🔧 api-service   │ │    │  │Standard Tier (S2):             ││
│ │├─ REST API      │ │    │  │├─ $149/month                    ││
│ │└─ Medium load   │ │───►│  │├─ 50GB storage                  ││
│ │                 │ │    │  │├─ Auto-scaling                  ││
│ │📊 admin-portal  │ │    │  │└─ 10 staging slots              ││
│ │├─ Internal use  │ │    │  │                                ││
│ │└─ Low traffic   │ │    │  │Premium Tier (P2v2):            ││
│ └─────────────────┘ │    │  │├─ $292/month                    ││
│                     │    │  │├─ 250GB storage                 ││
│ Resource Sharing:   │    │  │├─ High performance              ││
│ ┌─────────────────┐ │    │  │└─ 20 staging slots              ││
│ │CPU: Shared      │ │    │  └─────────────────────────────────┘│
│ │Memory: Shared   │ │    │                                     │
│ │Storage: Isolated│ │    │  Scaling Costs:                     │
│ │Network: Shared  │ │    │  ┌─────────────────────────────────┐│
│ └─────────────────┘ │    │  │Base: 1 instance = $149/month   ││
└─────────────────────┘    │  │Scale to 3: 3 instances = $447   ││
                           │  │Scale to 5: 5 instances = $745   ││
                           │  │Max 10: 10 instances = $1,490    ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

App Service Plan Commands:
────────────────────────────
# Create App Service Plan
az appservice plan create \
  --name myPlan \
  --resource-group myRG \
  --location "East US" \
  --sku S2 \
  --number-of-workers 2

# Scale App Service Plan  
az appservice plan update \
  --name myPlan \
  --resource-group myRG \
  --number-of-workers 5

# Enable auto-scaling
az monitor autoscale create \
  --resource-group myRG \
  --resource myPlan \
  --min-count 2 \
  --max-count 10 \
  --count 3

Study this concept interactively in the AZ-104 app →

Modify Existing ARM Templates

Explanation

**Explanation**: Process of updating and customizing existing Azure Resource Manager templates to meet specific requirements. Includes parameter modification, resource updates, and template optimization.

Examples

**Examples**: Adding new resources to templates, updating VM sizes, modifying network configurations, customizing parameters for different environments.

Enterprise Use Case

**Use Case**: Template reuse, environment-specific customization, incremental infrastructure updates, and template standardization across projects.

Diagram

**Visual**: 
🎨 ARM Template Modification Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                    📝 TEMPLATE MODIFICATION PROCESS           │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📄 SOURCE TEMPLATE │    │         🔧 MODIFICATION AREAS       │
│                     │    │                                     │
│ Original Template:  │    │  Parameter Updates:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │{                │ │    │  │"vmSize": {                     ││
│ │  "parameters": {│ │    │  │  "type": "string",             ││
│ │    "vmSize": {  │ │    │  │  "defaultValue": "Standard_D2s"││
│ │      "type":    │ │    │  │  "allowedValues": [            ││
│ │      "string",  │ │    │  │    "Standard_B2s",  ← Add new  ││
│ │      "default": │ │    │  │    "Standard_D2s_v3",          ││
│ │      "Standard_ │ │    │  │    "Standard_D4s_v3"           ││
│ │       B2s"      │ │    │  │  ]                             ││
│ │    }            │ │    │  │}                               ││
│ │  }              │ │    │  └─────────────────────────────────┘│
│ │}                │ │    │                                     │
│ └─────────────────┘ │───►│  Resource Modifications:            │
│                     │    │  ┌─────────────────────────────────┐│
│ Template Structure: │    │  │Add new storage account:        ││
│ ┌─────────────────┐ │    │  │{                               ││
│ │📋 Parameters    │ │    │  │  "type": "Microsoft.Storage/   ││
│ │🔧 Variables     │ │    │  │          storageAccounts",     ││
│ │🏗️ Resources     │ │    │  │  "apiVersion": "2021-04-01",   ││
│ │📤 Outputs       │ │    │  │  "name": "[parameters('storage ││
│ └─────────────────┘ │    │  │          AccountName')]",      ││
│                     │    │  │  "properties": {               ││
│ Version Control:    │    │  │    "accessTier": "Hot"         ││
│ ┌─────────────────┐ │    │  │  }                             ││
│ │📁 Original.json │ │    │  │}                               ││
│ │📁 Modified.json │ │    │  └─────────────────────────────────┘│
│ │📁 Changelog.md  │ │    └─────────────────────────────────────┘
│ └─────────────────┘ │    
└─────────────────────┘    ┌─────────────────────────────────────┐
                           │         ⚡ ADVANCED MODIFICATIONS    │
┌─────────────────────┐    │                                     │
│   🔄 COMMON UPDATES  │───►│  Conditional Logic:                 │
│                     │    │  ┌─────────────────────────────────┐│
│ Environment Config: │    │  │"condition": "[equals(parameters ││
│ ┌─────────────────┐ │    │  │ ('environment'), 'production')]"││
│ │Development:     │ │    │  │                                ││
│ │├─ Small VMs     │ │    │  │"dependsOn": [                  ││
│ │├─ Basic storage │ │    │  │  "[resourceId('Microsoft.      ││
│ │└─ No backup     │ │    │  │   Network/virtualNetworks',    ││
│ │                 │ │    │  │   parameters('vnetName'))]"    ││
│ │Production:      │ │    │  │]                               ││
│ │├─ Large VMs     │ │    │  └─────────────────────────────────┘│
│ │├─ Premium SSD   │ │    │                                     │
│ │└─ Backup enabled│ │    │  Copy Loops:                        │
│ └─────────────────┘ │    │  ┌─────────────────────────────────┐│
│                     │    │  │"copy": {                       ││
│ Feature Toggles:    │    │  │  "name": "vmLoop",             ││
│ ┌─────────────────┐ │    │  │  "count": "[parameters('vm     ││
│ │Enable Monitoring│ │    │  │           Count')]",           ││
│ │Enable Backup    │ │    │  │  "mode": "Parallel"            ││
│ │Enable SSL       │ │    │  │}                               ││
│ │Enable Auto-scale│ │    │  │"name": "[concat('vm-',         ││
│ └─────────────────┘ │    │  │  copyIndex())]"                ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           │                                     │
                           │  Nested Templates:                  │
                           │  ┌─────────────────────────────────┐│
                           │  │"templateLink": {               ││
                           │  │  "uri": "[concat(parameters(   ││
                           │  │   'templateBaseUrl'),          ││
                           │  │   'storage.json')]"            ││
                           │  │}                               ││
                           │  │                                ││
                           │  │"parametersLink": {             ││
                           │  │  "uri": "[parameters('params   ││
                           │  │         Url')]"                ││
                           │  │}                               ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

🎨 Template Testing and Validation:

Development Workflow:
├─ 1. Export existing template
├─ 2. Modify parameters and resources
├─ 3. Validate syntax with az deployment validate
├─ 4. Test deploy to development environment
├─ 5. Document changes and version control
└─ 6. Deploy to production with approval

Validation Commands:
─────────────────────────
# Validate template syntax
az deployment group validate \
  --resource-group myRG \
  --template-file modified-template.json \
  --parameters @parameters.json

# What-if deployment
az deployment group what-if \
  --resource-group myRG \
  --template-file modified-template.json \
  --parameters @parameters.json

# Deploy with monitoring
az deployment group create \
  --resource-group myRG \
  --template-file modified-template.json \
  --parameters @parameters.json \
  --verbose

Best Practices:
──────────────────
✅ Always version control templates
✅ Use parameter files for environments
✅ Test in non-production first
✅ Document all modifications
✅ Use descriptive resource names
✅ Implement proper error handling

Study this concept interactively in the AZ-104 app →

App Service Scaling

Explanation

**Explanation**: Azure App Service scaling capabilities that allow applications to handle varying workloads through manual or automatic scaling. Includes scale up (vertical scaling) to increase VM power and scale out (horizontal scaling) to add more instances.

Examples

**Examples**: Scaling during peak traffic periods, handling seasonal workload variations, managing cost optimization during low usage, preparing for marketing campaigns, handling sudden traffic spikes.

Enterprise Use Case

**Use Case**: E-commerce applications scaling during sales events, media websites handling viral content traffic, SaaS applications growing user base, API services managing variable request volumes.

Diagram

**Visual**: 
🎨 App Service Scaling Strategy:

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 SCALING DIMENSIONS                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│    🚀 SCALE UP      │    │           ➡️ SCALE OUT              │
│   (Vertical)        │    │         (Horizontal)                │
│                     │───►│                                     │
│ CPU: 1 → 4 cores    │    │  Instances: 1 → 10                 │
│ RAM: 2 → 16 GB      │    │  ┌─────────────────────────────────┐│
│ Plan: S1 → P3v3     │    │  │Instance 1: myapp-001.azurewebsi││
│                     │    │  │Instance 2: myapp-002.azurewebsi││
│ Single Instance:    │    │  │Instance 3: myapp-003.azurewebsi││
│ ┌─────────────────┐ │    │  │Load Balancer distributes traffic││
│ │More Powerful VM │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

🎯 Scaling Triggers:
────────────────────
📈 CPU Usage > 70%    → Scale Out
📉 CPU Usage < 30%    → Scale In  
🕐 Schedule-based     → Predictive Scaling
📊 Custom Metrics     → Application-specific

Study this concept interactively in the AZ-104 app →

App Service Scaling Settings Configuration

Explanation

**Explanation**: Detailed configuration options for Azure App Service autoscaling including scale rules, metrics, conditions, and actions. Allows fine-tuning of when and how scaling occurs based on various performance metrics and schedules.

Examples

**Examples**: Setting CPU threshold rules, configuring memory-based scaling, creating time-based schedules, setting up queue length triggers, defining custom application metrics for scaling decisions.

Enterprise Use Case

**Use Case**: Production applications requiring precise scaling control, cost-sensitive environments needing optimal resource usage, applications with predictable traffic patterns, high-availability services requiring consistent performance.

Diagram

**Visual**: 
🎨 App Service Scaling Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                 ⚙️ AUTOSCALE SETTINGS                          │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📊 SCALE RULES    │    │         📅 SCALE PROFILES           │
│                     │───►│                                     │
│ Rule 1: Scale Out   │    │  Profile: "Work Hours"             │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Metric: CPU %    │ │    │  │Mon-Fri: 8AM-6PM               ││
│ │Condition: > 70% │ │    │  │Min Instances: 2                ││
│ │Duration: 5 mins │ │    │  │Max Instances: 10               ││
│ │Action: +2 inst  │ │    │  │Default Instances: 3            ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Rule 2: Scale In    │    │  Profile: "Off Hours"              │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Metric: CPU %    │ │    │  │Nights & Weekends               ││
│ │Condition: < 30% │ │    │  │Min Instances: 1                ││
│ │Duration: 10 min │ │    │  │Max Instances: 3                ││
│ │Action: -1 inst  │ │    │  │Default Instances: 1            ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Portal Configuration:
─────────────────────
🖥️  Settings → Scale out (App Service plan)
📈  Add rule → Select metric → Set threshold
⏱️  Set time aggregation and duration
🎯  Define scale action (increase/decrease)

Study this concept interactively in the AZ-104 app →

App Service Networking Configuration

Explanation

**Explanation**: Network configuration options for Azure App Service including custom domains, SSL certificates, IP restrictions, VNet integration, and private endpoints. Provides security and connectivity control for web applications.

Examples

**Examples**: Configuring custom domains with SSL, setting up IP whitelisting for admin access, integrating with corporate VNets, creating private endpoints for secure access, configuring hybrid connections.

Enterprise Use Case

**Use Case**: Enterprise applications requiring secure network access, compliance with security policies, integration with on-premises resources, restricting access to specific networks or users.

Diagram

**Visual**: 
🎨 App Service Networking Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                  🌐 NETWORK CONFIGURATION                      │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🔒 ACCESS CONTROL │    │         🔗 CONNECTIVITY             │
│                     │───►│                                     │
│ IP Restrictions:    │    │  VNet Integration:                  │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Allow: 10.0.0.0/ │ │    │  │Corporate VNet: 172.16.0.0/16   ││
│ │       24        │ │    │  │App Subnet: 172.16.1.0/24      ││
│ │Deny: All others │ │    │  │Private Endpoint: Enabled       ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Service Endpoints:  │    │  Hybrid Connections:                │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │SQL Database     │ │    │  │On-premises: corp-db.local:1433 ││
│ │Storage Account  │ │    │  │File Share: \\fileserver\data  ││
│ │Key Vault        │ │    │  │API Gateway: api.company.com    ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

SSL/TLS Configuration:
─────────────────────
🔐 Custom Domain: myapp.company.com
📜 Certificate: Let's Encrypt / Custom
🛡️  TLS Version: 1.2+ only
🚫 HTTP: Redirect to HTTPS

Study this concept interactively in the AZ-104 app →

App Service Deployment Settings

Explanation

**Explanation**: Configuration options for deploying applications to Azure App Service including deployment methods, source control integration, build processes, and deployment slots. Enables continuous integration and delivery workflows.

Examples

**Examples**: GitHub Actions deployment, Azure DevOps integration, FTP deployment, ZIP deployment, Docker container deployment, local Git deployment, Visual Studio publishing.

Enterprise Use Case

**Use Case**: Development teams implementing CI/CD pipelines, automated deployments from source control, staging and production deployment workflows, rollback capabilities, testing in production-like environments.

Diagram

**Visual**: 
🎨 App Service Deployment Pipeline:

┌─────────────────────────────────────────────────────────────────┐
│                   🚀 DEPLOYMENT WORKFLOW                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📂 SOURCE CONTROL │    │         🔄 BUILD & DEPLOY           │
│                     │───►│                                     │
│ GitHub Repository:  │    │  Deployment Method:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │main branch      │ │    │  │✅ Continuous Deployment        ││
│ │├─ /src          │ │    │  │✅ Build in Azure (Oryx)        ││
│ │├─ package.json  │ │    │  │✅ Node.js 18.x detected        ││
│ │├─ web.config    │ │    │  │✅ npm install & build          ││
│ │└─ Dockerfile    │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Deployment Slots:                  │
│ Webhook Triggers:   │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │Production: myapp.azurewebsites ││
│ │Push to main     │ │    │  │Staging: myapp-staging.azure... ││
│ │Pull request     │ │    │  │Development: myapp-dev.azure... ││
│ │Tag creation     │ │    │  │A/B Testing: myapp-test.azure...││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Deployment Configuration:
────────────────────────
⚙️  Deployment Center → GitHub Actions
🔧 Build Provider: App Service Build
🎯 Runtime Stack: Node.js 18 LTS
📋 Startup Command: npm start

Study this concept interactively in the AZ-104 app →

App Service Authentication

Explanation

**Explanation**: Built-in authentication and authorization service for Azure App Service that integrates with popular identity providers. Enables secure access control without writing custom authentication code.

Examples

**Examples**: Microsoft Entra ID (Azure AD) login, Facebook/Google social login, Twitter authentication, custom OpenID Connect providers, JWT token validation, role-based access control.

Enterprise Use Case

**Use Case**: Web applications requiring user authentication, SaaS applications with multi-tenant access, corporate applications using company directories, customer-facing portals with social login options.

Diagram

**Visual**: 
🎨 App Service Authentication Flow:

┌─────────────────────────────────────────────────────────────────┐
│                  🔐 AUTHENTICATION PROVIDERS                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   👤 USER LOGIN     │    │         ✅ VERIFICATION             │
│                     │───►│                                     │
│ Provider Options:   │    │  Identity Validation:               │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │🏢 Microsoft     │ │    │  │Token Verification              ││
│ │   Entra ID      │ │    │  │Claims Extraction               ││
│ │📘 Facebook      │ │    │  │Role Assignment                 ││
│ │🔍 Google        │ │    │  │Session Creation                ││
│ │🐦 Twitter       │ │    │  └─────────────────────────────────┘│
│ │🔗 Custom OIDC   │ │    │                                     │
│ └─────────────────┘ │    │  App Service Response:              │
│                     │    │  ┌─────────────────────────────────┐│
│ Login Flow:         │    │  │✅ Authenticated Request         ││
│ 1. Redirect to      │    │  │📋 User Claims Available        ││
│    Provider         │    │  │🎫 X-MS-CLIENT-PRINCIPAL        ││
│ 2. User Consents    │    │  │🔒 Authorized Access Granted    ││
│ 3. Token Exchange   │    │  └─────────────────────────────────┘│
│ 4. App Access       │    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

Configuration Steps:
───────────────────
🖥️  Authentication/Authorization → On
🔧 Identity Provider → Add provider
⚙️  Action: Redirect to login page
📋 Token Store: Enabled

Study this concept interactively in the AZ-104 app →

Advanced Compute Configuration

Explanation

**Explanation**: Advanced Azure compute features including Custom Script Extensions for VM automation, Azure Application Gateway for advanced load balancing, and Azure Dedicated Host for isolated compute resources with enhanced security and compliance.

Examples

**Examples**: Automating VM setup with PowerShell scripts, implementing WAF protection with Application Gateway, deploying on dedicated physical servers, custom software installation, compliance-driven isolation requirements.

Enterprise Use Case

**Use Case**: Enterprise applications requiring automated deployment, high-security environments needing physical isolation, complex application architectures requiring advanced load balancing, compliance requirements for dedicated infrastructure.

Diagram

**Visual**: 
🎨 Advanced Compute Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                 🏗️ ADVANCED COMPUTE FEATURES                   │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🤖 CUSTOM SCRIPTS  │    │      🏢 DEDICATED HOSTS             │
│                     │───►│                                     │
│ Extensions:         │    │  Physical Server Isolation:        │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │PowerShell DSC   │ │    │  │Host: DH-001 (Dell R740)        ││
│ │Chef            │ │    │  │├─ VM1: Web Server               ││
│ │Puppet          │ │    │  │├─ VM2: Database Server          ││
│ │Custom Scripts   │ │    │  │├─ VM3: Application Server       ││
│ └─────────────────┘ │    │  │└─ Available Capacity: 40%       ││
│                     │    │  └─────────────────────────────────┘│
│ Automation Tasks:   │    │                                     │
│ ┌─────────────────┐ │    │  Benefits:                          │
│ │Software Install │ │    │  ┌─────────────────────────────────┐│
│ │Config Changes   │ │    │  │🔒 Physical Isolation           ││
│ │Domain Join      │ │    │  │📋 Compliance Support           ││
│ │Monitoring Setup │ │    │  │💰 Cost Predictability          ││
│ └─────────────────┘ │    │  │⚡ High Performance              ││
└─────────────────────┘    │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│            🌐 APPLICATION GATEWAY                               │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🛡️ WAF PROTECTION │    │         ⚖️ LOAD BALANCING          │
│                     │───►│                                     │
│ Security Features:  │    │  Routing Rules:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │SQL Injection    │ │    │  │Path: /api/* → Backend Pool 1   ││
│ │XSS Protection   │ │    │  │Path: /app/* → Backend Pool 2   ││
│ │DDoS Mitigation  │ │    │  │Host: admin.* → Backend Pool 3  ││
│ │Custom Rules     │ │    │  │SSL Termination: Enabled        ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Custom Script Extensions

Explanation

**Explanation**: VM extensions that enable running custom scripts on Azure Virtual Machines for automation, configuration, and post-deployment tasks. Supports PowerShell, Bash, and other scripting languages across Windows and Linux VMs.

Examples

**Examples**: Installing software packages, configuring applications, joining domains, setting up monitoring agents, downloading and configuring files, running diagnostic tools, applying security configurations.

Enterprise Use Case

**Use Case**: Automated VM configuration during deployment, standardizing VM setups across environments, installing custom applications, applying organizational policies, bootstrapping development environments.

Diagram

**Visual**: 
🎨 Custom Script Extension Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                  🤖 SCRIPT EXTENSION LIFECYCLE                  │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   📜 SCRIPT SOURCE  │    │         🖥️ VM EXECUTION             │
│                     │───►│                                     │
│ Storage Options:    │    │  Windows VM (PowerShell):          │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Azure Blob       │ │    │  │# Install IIS                   ││
│ │GitHub Repository│ │    │  │Enable-WindowsOptionalFeature   ││
│ │Public URL       │ │    │  │  -Online -FeatureName IIS-Web  ││
│ │Inline Script    │ │    │  │  Server -All                   ││
│ └─────────────────┘ │    │  │                                ││
│                     │    │  │# Configure Application         ││
│ Script Parameters:  │    │  │Copy-Item setup.msi C:\temp\   ││
│ ┌─────────────────┐ │    │  │Start-Process msiexec.exe       ││
│ │Environment vars │ │    │  └─────────────────────────────────┘│
│ │File URLs        │    │                                     │
│ │Command args     │ │    │  Linux VM (Bash):                  │
│ │Secure strings   │ │    │  ┌─────────────────────────────────┐│
│ └─────────────────┘ │    │  │#!/bin/bash                     ││
└─────────────────────┘    │  │apt-get update                  ││
                           │  │apt-get install -y nginx        ││
                           │  │systemctl enable nginx          ││
                           │  │wget config.tar.gz              ││
                           │  │tar -xzf config.tar.gz          ││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘

Deployment Methods:
──────────────────
🖥️  Portal: VM → Extensions → Add
💻 CLI: az vm extension set
⚡ PowerShell: Set-AzVMCustomScriptExtension
🏗️  ARM Template: Microsoft.Compute/virtualMachines/extensions

Study this concept interactively in the AZ-104 app →

Azure Application Gateway

Explanation

**Explanation**: Layer 7 (HTTP/HTTPS) load balancer that provides application delivery controller (ADC) as a service. Offers web application firewall, SSL termination, URL-based routing, and multi-site hosting capabilities.

Examples

**Examples**: Load balancing web traffic across multiple servers, implementing SSL offloading, routing based on URL paths, protecting web applications with WAF, supporting multiple websites on single gateway.

Enterprise Use Case

**Use Case**: High-availability web applications, microservices architectures requiring path-based routing, organizations needing web application security, multi-tenant applications, SSL certificate management.

Diagram

**Visual**: 
🎨 Azure Application Gateway Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                   🌐 APPLICATION GATEWAY                        │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🌍 FRONTEND       │    │        🎯 BACKEND POOLS             │
│                     │───►│                                     │
│ Public IP:          │    │  Pool 1: Web Servers               │
│ 203.0.113.10        │    │  ┌─────────────────────────────────┐│
│                     │    │  │VM1: 10.0.1.10:80              ││
│ Listeners:          │    │  │VM2: 10.0.1.11:80              ││
│ ┌─────────────────┐ │    │  │VM3: 10.0.1.12:80              ││
│ │HTTP: Port 80    │ │    │  └─────────────────────────────────┘│
│ │HTTPS: Port 443  │ │    │                                     │
│ │Multi-site:      │ │    │  Pool 2: API Servers               │
│ │  api.site.com   │ │    │  ┌─────────────────────────────────┐│
│ │  app.site.com   │ │    │  │VM4: 10.0.2.10:8080            ││
│ └─────────────────┘ │    │  │VM5: 10.0.2.11:8080            ││
└─────────────────────┘    │  │App Service: myapi.azurewebsites││
                           │  └─────────────────────────────────┘│
                           └─────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│                    🛡️ SECURITY & ROUTING                       │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│     🔒 WAF          │    │      📍 ROUTING RULES               │
│                     │───►│                                     │
│ Protection Against: │    │  Rule 1: Path-based                │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │SQL Injection    │ │    │  │/api/* → API Pool               ││
│ │Cross-site       │ │    │  │/app/* → Web Pool               ││
│ │  Scripting      │ │    │  │Priority: 100                   ││
│ │DDoS Attacks     │ │    │  └─────────────────────────────────┘│
│ │Custom Rules     │ │    │                                     │
│ └─────────────────┘ │    │  Rule 2: Multi-site                │
│                     │    │  ┌─────────────────────────────────┐│
│ SSL Termination:    │    │  │admin.company.com → Admin Pool  ││
│ ┌─────────────────┐ │    │  │www.company.com → Public Pool   ││
│ │Certificate      │ │    │  │Priority: 200                   ││
│ │  Management     │ │    │  └─────────────────────────────────┘│
│ │End-to-End SSL   │ │    │                                     │
│ └─────────────────┘ │    │  Health Probes: HTTP/HTTPS         │
└─────────────────────┘    └─────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Dedicated Host

Explanation

**Explanation**: Physical servers dedicated exclusively to a single Azure subscription, providing server-level isolation for compliance, security, and licensing requirements. Offers predictable performance, control over maintenance timing, and support for Azure Hybrid Benefit.

Examples

**Examples**: Meeting regulatory compliance for sensitive workloads, using existing Windows Server licenses with Software Assurance, controlling maintenance schedules for critical applications, isolating workloads for security requirements.

Enterprise Use Case

**Use Case**: Organizations with strict compliance requirements, enterprises maximizing existing license investments, applications requiring predictable performance, workloads needing physical isolation from multi-tenant infrastructure.

Diagram

**Visual**: 
🎨 Azure Dedicated Host Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                 🏢 DEDICATED HOST INFRASTRUCTURE                │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│  🖥️ PHYSICAL HOST   │    │         💼 BUSINESS BENEFITS        │
│                     │───►│                                     │
│ Host Specifications:│    │  Compliance & Isolation:           │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Server Model:    │ │    │  │✅ Single-tenant environment    ││
│ │  Dell R640      │ │    │  │✅ Regulatory compliance        ││
│ │CPU: 72 cores    │ │    │  │✅ Physical server isolation    ││
│ │RAM: 768 GB      │ │    │  │✅ Controlled maintenance       ││
│ │Storage: NVMe    │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
│                     │    │  Licensing Benefits:                │
│ VM Allocation:      │    │  ┌─────────────────────────────────┐│
│ ┌─────────────────┐ │    │  │💰 Azure Hybrid Benefit         ││
│ │VM1: 8 cores     │ │    │  │📄 Windows Server licenses      ││
│ │VM2: 16 cores    │ │    │  │🔧 SQL Server licenses          ││
│ │VM3: 12 cores    │ │    │  │📊 Cost optimization            ││
│ │Available: 36    │ │    │  └─────────────────────────────────┘│
│ └─────────────────┘ │    │                                     │
└─────────────────────┘    └─────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    ⚙️ MANAGEMENT & CONTROL                     │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
┌─────────────────────┐    ┌─────────────────────────────────────┐
│   🔧 MAINTENANCE    │    │       📊 MONITORING & BILLING      │
│                     │───►│                                     │
│ Maintenance Control:│    │  Resource Tracking:                 │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Scheduled Windows│ │    │  │Host Utilization: 75%           ││
│ │Customer Control │ │    │  │VM Count: 3 of 8 max           ││
│ │35-day notice    │ │    │  │vCPU Usage: 36 of 72           ││
│ │Defer options    │ │    │  │Memory Usage: 384 GB of 768 GB  ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
│                     │    │                                     │
│ Host Groups:        │    │  Billing Model:                     │
│ ┌─────────────────┐ │    │  ┌─────────────────────────────────┐│
│ │Availability Zone│ │    │  │💳 Per-host pricing             ││
│ │Fault Domains    │ │    │  │⏰ Pay for entire host capacity ││
│ │Update Domains   │ │    │  │🔄 Reserved instances available  ││
│ │Placement Groups │ │    │  │📈 Predictable costs            ││
│ └─────────────────┘ │    │  └─────────────────────────────────┘│
└─────────────────────┘    └─────────────────────────────────────┘

Host Sizing Options:
───────────────────
🔹 Dsv3-Type1 (64 vCPUs, 256 GB RAM)
🔹 Esv3-Type1 (64 vCPUs, 432 GB RAM)  
🔹 Fsv2-Type2 (72 vCPUs, 144 GB RAM)
🔹 Custom sizes available

Study this concept interactively in the AZ-104 app →

Azure Virtual Networks (VNet)

Explanation

Fundamental building block for private networks in Azure. Enables Azure resources to securely communicate with each other, the internet, and on-premises networks. Provides isolation, segmentation, and control over IP addressing and routing.

Examples

Creating isolated networks for applications, connecting Azure resources securely, extending on-premises networks to Azure, implementing network segmentation for security, enabling hybrid cloud scenarios.

Enterprise Use Case

Organizations use VNets to create secure, isolated environments for their applications, implement network security policies, connect cloud and on-premises resources, and control traffic flow between resources.

Diagram

Virtual Network Structure:
[Virtual Network] (10.0.0.0/16)
       |
   [Subnets]
       |-- Web Tier (10.0.1.0/24)
       |-- App Tier (10.0.2.0/24)  
       |-- Data Tier (10.0.3.0/24)
       |-- Gateway Subnet (10.0.255.0/27)

Study this concept interactively in the AZ-104 app →

Network Security Groups (NSG)

Explanation

Acts as a virtual firewall that controls inbound and outbound traffic to Azure resources. Contains security rules that allow or deny traffic based on source/destination IP, port, and protocol. Can be associated with subnets or network interfaces.

Examples

Allowing HTTP/HTTPS traffic to web servers, blocking SSH access from internet, permitting database connections only from app servers, restricting RDP access to specific IP ranges.

Enterprise Use Case

Used to implement network security policies, control access between tiers of applications, secure remote access, and comply with security requirements by filtering network traffic.

Diagram

Network Security Groups - Comprehensive Security Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                           🛡️ NETWORK SECURITY GROUPS ARCHITECTURE                      │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│            📊 RULE PROCESSING           │    │            🎯 SECURITY LAYERS           │
│             PRIORITY MATRIX             │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │ Layer 1: Subnet NSG Rules              │
│ Priority Range  │ Rule Type    │ Usage  │    │ ┌─────────────────────────────────────┐ │
│ ════════════════│══════════════│═══════ │    │ │ Allow: HTTP/HTTPS from Internet     │ │
│ 100-999         │ Custom       │ Allow  │    │ │ Deny:  SSH from Any                │ │
│ 1000-3000       │ Standard     │ Allow  │    │ │ Allow: RDP from Corp Network       │ │
│ 3001-4000       │ Standard     │ Deny   │    │ └─────────────────────────────────────┘ │
│ 4001-4096       │ Default      │ System │    │           ↓ Traffic Flow               │
│                                         │    │ Layer 2: NIC NSG Rules                 │
│ ✅ Lower number = Higher priority       │    │ ┌─────────────────────────────────────┐ │
│ ⚠️  Default rules cannot be deleted     │    │ │ Allow: Database connections (1433)  │ │
│ 🔄  Rules evaluated top to bottom       │    │ │ Deny:  All other database ports    │ │
│                                         │    │ │ Allow: App server communication    │ │
└─────────────────────────────────────────┘    │ └─────────────────────────────────────┘ │
                                               └─────────────────────────────────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                               🚦 TRAFFIC FLOW DECISION MATRIX                          │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Source: Internet (203.0.113.5)  →  Destination: Web Server (10.0.1.10:80)          │
│ ┌─────────────────┐    ┌──────────────────┐    ┌──────────────────┐    ┌───────────┐ │
│ │   📡 Internet   │───▶│   Subnet NSG     │───▶│    NIC NSG       │───▶│ ✅ ALLOW  │ │
│ │  Source Check   │    │ Priority 100:    │    │ Priority 200:    │    │  Traffic  │ │
│ │                 │    │ Allow HTTP (80)  │    │ Allow HTTP (80)  │    │           │ │
│ └─────────────────┘    └──────────────────┘    └──────────────────┘    └───────────┘ │
│                                                                                       │
│ Source: Internet (203.0.113.5)  →  Destination: Database (10.0.2.10:1433)          │
│ ┌─────────────────┐    ┌──────────────────┐    ┌──────────────────┐    ┌───────────┐ │
│ │   📡 Internet   │───▶│   Subnet NSG     │───▶│    NIC NSG       │───▶│ ❌ DENY   │ │
│ │  Source Check   │    │ Priority 300:    │    │ Priority 100:    │    │  Traffic  │ │
│ │                 │    │ Deny All Other   │    │ Deny DB Internet │    │           │ │
│ └─────────────────┘    └──────────────────┘    └──────────────────┘    └───────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                          📋 COMPREHENSIVE RULE CONFIGURATION                           │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Inbound Security Rules                    │ Outbound Security Rules                  │
│ ═══════════════════════                   │ ════════════════════════                 │
│                                           │                                          │
│ Priority │ Name        │ Action │ Protocol │ Priority │ Name        │ Action │ Port  │
│ ════════ │ ═══════════ │ ══════ │ ════════ │ ════════ │ ═══════════ │ ══════ │ ═══  │
│    100   │ Allow-HTTP  │   ✅    │ TCP:80   │    100   │ Allow-HTTPS │   ✅    │ 443  │
│    110   │ Allow-HTTPS │   ✅    │ TCP:443  │    110   │ Allow-DNS   │   ✅    │ 53   │
│    120   │ Allow-RDP   │   ✅    │ TCP:3389 │    120   │ Allow-NTP   │   ✅    │ 123  │
│    200   │ Allow-SSH   │   ✅    │ TCP:22   │    200   │ Allow-SMTP  │   ✅    │ 25   │
│    300   │ Deny-DB     │   ❌    │ TCP:1433 │    300   │ Block-P2P   │   ❌    │ *    │
│   4000   │ AllowVnet   │   ✅    │ Any      │   4000   │ AllowVnet   │   ✅    │ Any  │
│   4001   │ AllowAzLB   │   ✅    │ Any      │   4001   │ AllowInternet│  ✅    │ Any  │
│   4096   │ DenyAllIn   │   ❌    │ Any      │   4096   │ DenyAllOut  │   ❌    │ Any  │
│                                           │                                          │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            🏗️ DEPLOYMENT ASSOCIATION MATRIX                           │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Association Type    │ Scope         │ Best Practice      │ Use Case               │ │
│ ══════════════════ │ ════════════ │ ══════════════════ │ ═══════════════════════ │ │
│ 🌐 Subnet NSG      │ Subnet-wide  │ ✅ Recommended      │ Broad security policy  │ │
│ 🔗 NIC NSG         │ Per VM/NIC   │ ⚖️ Specific needs   │ VM-specific rules      │ │
│ 🏢 Multiple NSGs   │ Layered      │ 🎯 Defense in depth │ Complex environments   │ │
│ 📊 Application SG  │ App tier     │ 🛡️ Micro-segmentation│ Multi-tier apps       │ │
│                                                                                       │
│ Evaluation Order: Subnet NSG → NIC NSG → Most Restrictive Rule Wins                 │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Azure Load Balancer

Explanation

Layer 4 (TCP/UDP) load balancer that distributes incoming traffic among healthy instances of services. Provides high availability and network performance for applications. Supports both inbound and outbound scenarios with automatic failover.

Examples

Distributing web traffic across multiple VMs, load balancing database connections, distributing traffic for high-traffic applications, providing redundancy for critical services.

Enterprise Use Case

Used to ensure application availability, handle traffic spikes, eliminate single points of failure, and improve application performance by distributing load across multiple instances.

Diagram

Azure Load Balancer - Advanced Traffic Distribution Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            ⚖️ AZURE LOAD BALANCER ECOSYSTEM                           │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│         🌐 LOAD BALANCING TYPES         │    │         🔄 DISTRIBUTION ALGORITHMS     │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ 🌍 Public Load Balancer                 │    │ 🎯 Hash-based (5-tuple)                │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ • Internet-facing traffic           │ │    │ │ Source IP + Source Port             │ │
│ │ • Public IP frontend               │ │    │ │ Destination IP + Destination Port   │ │
│ │ • External client access           │ │    │ │ Protocol → Consistent routing       │ │
│ │ ✅ Best for: Web applications       │ │    │ └─────────────────────────────────────┘ │
│ └─────────────────────────────────────┘ │    │                                         │
│                                         │    │ ⚖️ Session Affinity (Source IP)        │
│ 🏠 Internal Load Balancer               │    │ ┌─────────────────────────────────────┐ │
│ ┌─────────────────────────────────────┐ │    │ │ Same client → Same backend          │ │
│ │ • Private IP frontend              │ │    │ │ Sticky sessions for stateful apps   │ │
│ │ • VNet-to-VNet traffic only        │ │    │ │ Database connection pooling         │ │
│ │ • Internal service communication   │ │    │ │ ⚠️ May cause uneven distribution    │ │
│ │ ✅ Best for: Database clusters      │ │    │ └─────────────────────────────────────┘ │
│ └─────────────────────────────────────┘ │    └─────────────────────────────────────────┘
└─────────────────────────────────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              🚀 TRAFFIC FLOW & HEALTH MONITORING                      │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│     Internet/VNet Traffic            Load Balancer             Backend Pool          │
│     ═══════════════════════          ═══════════════           ════════════          │
│                                                                                       │
│ 🌐 Client Request (HTTP:80)          📊 Distribution Rules    🖥️ VM-01 (Healthy)     │
│ ┌─────────────────────┐              ┌─────────────────────┐  ┌─────────────────────┐ │
│ │  Source: Internet   │──────────────▶│  Frontend Config    │──▶│ Status: ✅ Online   │ │
│ │  Destination: LB    │              │  • Port: 80 → 8080  │  │ Response: 200 OK    │ │
│ │  Protocol: TCP      │              │  • Algorithm: Hash  │  │ Health: Probe OK    │ │
│ │                     │              │  • Session: None    │  └─────────────────────┘ │
│ └─────────────────────┘              └─────────────────────┘                         │
│                                                   │           🖥️ VM-02 (Healthy)     │
│ 🔄 Health Probe Traffic              🔍 Probe Configuration   ┌─────────────────────┐ │
│ ┌─────────────────────┐              ┌─────────────────────┐  │ Status: ✅ Online   │ │
│ │  Protocol: TCP/HTTP │◄─────────────│  • Interval: 15s    │──▶│ Response: 200 OK    │ │
│ │  Port: 8080        │              │  • Timeout: 5s      │  │ Health: Probe OK    │ │
│ │  Path: /health     │              │  • Threshold: 2     │  └─────────────────────┘ │
│ │  Expected: 200 OK  │              │  • Unhealthy: 2     │                         │
│ └─────────────────────┘              └─────────────────────┘  🖥️ VM-03 (Unhealthy)   │
│                                                               ┌─────────────────────┐ │
│                                      🚫 Failed Backend        │ Status: ❌ Offline  │ │
│                                      ┌─────────────────────┐  │ Response: Timeout   │ │
│                                      │  • Remove from pool │──▶│ Health: Probe Fail  │ │
│                                      │  • Stop routing     │  │ Action: Quarantine  │ │
│                                      │  • Monitor recovery │  └─────────────────────┘ │
│                                      └─────────────────────┘                         │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            📋 LOAD BALANCER CONFIGURATION MATRIX                      │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Configuration        │ Public Load Balancer     │ Internal Load Balancer            │ │
│ ══════════════════  │ ═══════════════════════  │ ══════════════════════════════    │ │
│ 🌐 Frontend IP      │ Public IP Address        │ Private IP (VNet subnet)          │ │
│ 🎯 Access Scope     │ Internet + VNet          │ VNet only                         │ │
│ 🔒 Security Rules   │ NSG + Firewall required  │ NSG for internal traffic          │ │
│ 💰 Cost Model       │ Higher (outbound data)   │ Lower (no internet egress)        │ │
│ 🏗️ Typical Use      │ Web apps, APIs           │ Databases, internal services      │ │
│ ⚡ Performance      │ Internet latency factor  │ Low latency (same VNet)           │ │
│                                                                                       │
│ Health Probe Types  │ TCP │ HTTP │ HTTPS │ Custom                                   │
│ ═══════════════════ │ ═══ │ ════ │ ═════ │ ══════                                   │ │
│ 🔧 Simple Check     │ ✅  │  ⚖️   │   ⚖️  │   ❌                                      │ │
│ 🌐 Application Layer │ ❌  │  ✅   │   ✅  │   ✅                                      │ │
│ 🔒 SSL/TLS Support  │ ❌  │  ❌   │   ✅  │   ✅                                      │ │
│ 📊 Custom Logic     │ ❌  │  ⚖️   │   ⚖️  │   ✅                                      │ │
│                                                                                       │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                           🎛️ ADVANCED FEATURES & BEST PRACTICES                       │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ High Availability Features         │ Performance Optimization                        │
│ ═══════════════════════════        │ ═══════════════════════════                     │
│                                    │                                                │
│ 🏗️ Zone Redundancy                │ ⚡ Connection Draining                          │
│ ┌────────────────────────────────┐ │ ┌────────────────────────────────────────────┐ │
│ │ • Multi-AZ load balancer       │ │ │ • Graceful removal of unhealthy instances │ │
│ │ • 99.99% uptime SLA            │ │ │ • Existing connections preserved           │ │
│ │ │ └────────────────────────────│ │ │ • Configurable drain timeout              │ │
│ │ • Automatic failover           │ │ └────────────────────────────────────────────┘ │
│ └────────────────────────────────┘ │                                                │
│                                    │ 🔄 Direct Server Return (DSR)                  │
│ 🎯 Multiple Frontend IPs           │ ┌────────────────────────────────────────────┐ │
│ ┌────────────────────────────────┐ │ │ • Response traffic bypasses LB            │ │
│ │ • Multi-service load balancing │ │ │ • Reduced latency & LB throughput          │ │
│ │ • Port-based service routing   │ │ │ • Backend sees original client IP         │ │
│ │ • SSL termination per service  │ │ │ • Asymmetric traffic flow                 │ │
│ └────────────────────────────────┘ │ └────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Azure Monitor

Explanation

Comprehensive monitoring solution that collects, analyzes, and acts on telemetry from cloud and on-premises environments. Provides insights into application performance, infrastructure health, and user experience with metrics, logs, and traces.

Examples

Monitoring application performance, tracking resource utilization, setting up alerts for critical conditions, analyzing user behavior, troubleshooting issues, capacity planning.

Enterprise Use Case

Organizations use Azure Monitor for proactive monitoring, troubleshooting, performance optimization, compliance reporting, and maintaining service level agreements (SLAs).

Diagram

Azure Monitor Components:
[Data Sources] --> [Azure Monitor] --> [Insights & Actions]
      |                  |                     |
[Applications]      [Metrics & Logs]      [Dashboards]
[Infrastructure]    [Collection]          [Alerts]
[Networks]          [Storage]             [Automation]

Study this concept interactively in the AZ-104 app →

Log Analytics

Explanation

Service within Azure Monitor that collects and analyzes log data from various sources. Uses Kusto Query Language (KQL) to query and analyze data. Provides workspace for storing and analyzing logs with powerful search and analytics capabilities.

Examples

Querying application logs for errors, analyzing security events, tracking performance metrics over time, creating custom dashboards, investigating incidents and outages.

Enterprise Use Case

Used for centralized logging, security monitoring, compliance reporting, troubleshooting, performance analysis, and creating insights from large volumes of log data.

Diagram

Log Analytics Workflow:
[Log Sources] --> [Log Analytics Workspace] --> [KQL Queries] --> [Results]
      |                      |                         |              |
[VMs, Apps]            [Data Storage]           [Search & Filter]  [Charts]
[Azure Services]       [Retention]              [Aggregations]     [Alerts]

Study this concept interactively in the AZ-104 app →

Azure Monitor Metrics

Explanation

Azure Monitor Metrics collects numeric data from monitored resources into a time-series database. Metrics are lightweight and near real-time, making them ideal for alerting and fast detection of issues. Accessible through Metrics Explorer and APIs.

Examples

CPU percentage for VMs, request count for web apps, storage account transactions, network throughput, custom application metrics, performance counters.

Enterprise Use Case

Operations teams use metrics for real-time monitoring, setting up alerts, capacity planning, performance optimization, and creating dashboards for business stakeholders.

Diagram

Azure Monitor Metrics Flow:
┌─────────────────────────────────────────────────────────┐
│                    AZURE MONITOR METRICS                │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 COLLECTION                               📈 ANALYSIS & ALERTS
┌─────────────────────┐                    ┌─────────────────────┐
│ Resource Metrics:   │───►                │ Metrics Explorer:   │
│ • CPU %             │    │               │ • Time-series charts│
│ • Memory %          │    │               │ • Multi-resource    │
│ • Disk I/O          │    │               │ • Aggregations      │
│ • Network bytes     │    │               │                     │
│                     │    ▼               │ Alert Rules:        │
│ Application Metrics:│ [TIME-SERIES]      │ • Threshold-based   │
│ • Request count     │ [DATABASE]         │ • Multi-dimensional │
│ • Response time     │    │               │ • Action groups     │
│ • Error rate        │    │               │                     │
│                     │    ▼               │ Dashboards:         │
│ Custom Metrics:     │ [NEAR REAL-TIME]   │ • Visual charts     │
│ • Business KPIs     │ [FAST DETECTION]   │ • Custom views      │
│ • Performance       │                    │ • Shared reports    │
└─────────────────────┘                    └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Monitor Logs

Explanation

Azure Monitor Logs collects and organizes log and performance data from monitored resources. Data is stored in a Log Analytics workspace and can be analyzed with powerful KQL queries to gain insights and create alerts.

Examples

Application logs, system events, security logs, performance data, custom logs, diagnostic logs from Azure resources, Windows event logs, syslog data.

Enterprise Use Case

IT teams use logs for troubleshooting issues, security monitoring, compliance reporting, root cause analysis, and creating custom dashboards with detailed operational insights.

Diagram

Azure Monitor Logs Architecture:
┌─────────────────────────────────────────────────────────┐
│                   AZURE MONITOR LOGS                    │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📝 LOG COLLECTION                           🔍 QUERY & ANALYSIS
┌─────────────────────┐                    ┌─────────────────────┐
│ Log Sources:        │                    │ Log Analytics:      │
│ • Azure Resources   │───►                │ • KQL queries       │
│ • VMs & Servers     │    │               │ • Custom functions  │
│ • Applications      │    │               │ • Workbooks         │
│ • Custom data       │    │               │                     │
│                     │    ▼               │ Alerting:           │
│ Agent-based:        │ [WORKSPACE]        │ • Log search alerts │
│ • Windows/Linux     │ [STORAGE]          │ • Smart detection   │
│ • Custom scripts    │    │               │ • Action groups     │
│                     │    │               │                     │
│ Diagnostic logs:    │    ▼               │ Integration:        │
│ • Activity logs     │ [RETENTION]        │ • Power BI          │
│ • Resource logs     │ [30-730 days]      │ • Azure Workbooks   │
│ • Azure AD logs     │                    │ • Third-party SIEM  │
└─────────────────────┘                    └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Kusto Query Language (KQL)

Explanation

KQL is the query language used in Azure Monitor Logs, Azure Data Explorer, and other Azure services. It provides powerful search, filter, and analytics capabilities for large datasets with intuitive syntax for data exploration and analysis.

Examples

Finding failed requests, analyzing performance trends, security event correlation, capacity planning queries, custom dashboards, automated alerts based on complex conditions.

Enterprise Use Case

Data analysts, DevOps engineers, and security teams use KQL for troubleshooting, monitoring trends, creating reports, and building automated responses to operational events.

Diagram

KQL Query Structure and Examples:
┌─────────────────────────────────────────────────────────┐
│                    KQL QUERY EXAMPLES                   │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🔍 BASIC QUERIES                            📊 ADVANCED ANALYTICS
┌─────────────────────┐                    ┌─────────────────────┐
│ Table Operations:   │                    │ Time Series:        │
│                     │                    │                     │
│ AzureActivity       │                    │ Perf                │
│ | where TimeGenerated > ago(1h)         │ | where TimeGenerated > ago(7d)
│ | where Level == "Error"                │ | where ObjectName == "Processor"
│ | take 100           │                    │ | summarize avg(CounterValue)
│                     │                    │   by bin(TimeGenerated, 1h)
│ Filtering & Search: │                    │ | render timechart   │
│                     │                    │                     │
│ SecurityEvent       │                    │ Join Operations:    │
│ | where EventID == 4624                 │                     │
│ | where Account contains "admin"        │ SecurityEvent       │
│ | project TimeGenerated,                │ | join kind=inner   │
│   Account, Computer  │                    │   (Heartbeat       │
│                     │                    │   | where OSType == "Windows")
│ Aggregations:       │                    │   on Computer      │
│                     │                    │ | project TimeGenerated,
│ AppRequests         │                    │   Account, OSVersion│
│ | summarize count() by │                 └─────────────────────┘
│   ResultCode        │
│ | order by count_ desc│
└─────────────────────┘

Query Components:
──────────────────────
📋 Data Source  - Table name (e.g., AzureActivity)
🔍 Filter       - | where [condition]
📊 Aggregate    - | summarize [function] by [column]
📈 Visualize    - | render [chart type]
⏰ Time         - | where TimeGenerated > ago(1d)

Study this concept interactively in the AZ-104 app →

Azure Monitor Alerts

Explanation

Azure Alerts proactively notify you when important conditions are found in your monitoring data. They can monitor metrics, logs, activity logs, and service health. Alerts trigger actions like sending emails, SMS, webhooks, or running automated responses.

Examples

CPU usage above 80%, failed login attempts, storage account quota exceeded, application response time degradation, resource creation/deletion activities, service outages.

Enterprise Use Case

Operations teams use alerts for proactive monitoring, immediate incident response, service level agreement monitoring, cost control, and ensuring business continuity.

Diagram

Azure Monitor Alerts Workflow:
┌─────────────────────────────────────────────────────────┐
│                   AZURE MONITOR ALERTS                  │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🎯 ALERT RULES                              🔔 ALERT ACTIONS
┌─────────────────────┐                    ┌─────────────────────┐
│ Metric Alerts:      │                    │ Action Groups:      │
│ • Threshold         │───►                │ • Email/SMS         │
│ • Multi-dimensional │    │               │ • Webhook           │
│ • Dynamic threshold │    │               │ • Logic Apps        │
│                     │    │               │ • Azure Functions   │
│ Log Search Alerts:  │    ▼               │                     │
│ • KQL-based         │ [CONDITION]        │ Notifications:      │
│ • Custom queries    │ [EVALUATION]       │ • Teams/Slack       │
│ • Cross-workspace   │    │               │ • ITSM connectors   │
│                     │    │               │ • Mobile app        │
│ Activity Log:       │    ▼               │                     │
│ • Resource changes  │ [ALERT FIRED]      │ Automated Response: │
│ • Service health    │                    │ • Auto-scaling      │
│ • Administrative    │                    │ • Runbook execution │
└─────────────────────┘                    │ • Resource restart  │
                                          └─────────────────────┘

Alert States:
─────────────
🔥 Fired    - Condition met, actions triggered
🔄 Resolved - Condition no longer met
❌ Disabled - Alert rule turned off

Study this concept interactively in the AZ-104 app →

Azure Activity Logs

Explanation

Azure Activity Logs provide insight into subscription-level events that have occurred in Azure. They record who did what, when, and where for all write operations (PUT, POST, DELETE) on resources in your subscription.

Examples

Virtual machine creation, storage account deletion, resource group modifications, role assignments, policy assignments, deployment operations, scaling events.

Enterprise Use Case

Security teams use activity logs for audit trails, compliance reporting, change tracking, security monitoring, and forensic analysis of resource modifications.

Diagram

Azure Activity Log Structure:
┌─────────────────────────────────────────────────────────┐
│                    AZURE ACTIVITY LOGS                  │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📋 LOG CATEGORIES                           🔍 LOG ANALYSIS
┌─────────────────────┐                    ┌─────────────────────┐
│ Administrative:     │                    │ Log Analytics:      │
│ • Resource creation │───►                │ • KQL queries       │
│ • Configuration     │    │               │ • Custom dashboards │
│ • Access management │    │               │ • Automated alerts  │
│                     │    │               │                     │
│ Security:           │    ▼               │ Export Options:     │
│ • Login events      │ [ACTIVITY LOG]     │ • Event Hubs        │
│ • Permission changes│ [STORAGE]          │ • Storage accounts  │
│ • Policy violations │    │               │ • Log Analytics     │
│                     │    │               │ • Azure Monitor     │
│ Service Health:     │    ▼               │                     │
│ • Service issues    │ [90-DAY]           │ Integration:        │
│ • Planned maintenance│ [RETENTION]       │ • SIEM systems      │
│ • Resource health   │                    │ • Compliance tools  │
└─────────────────────┘                    │ • Audit reports     │
                                          └─────────────────────┘

Key Properties:
───────────────
👤 Caller      - Who performed the action
⏰ Timestamp   - When the action occurred
🎯 Resource    - What resource was affected
🔧 Operation   - What action was performed
📊 Result      - Success or failure status
📍 Location    - Azure region where action occurred

Study this concept interactively in the AZ-104 app →

VM Insights

Explanation

VM Insights monitors the performance and health of your virtual machines and virtual machine scale sets. It provides detailed views of running processes, dependencies between components, and performance metrics with minimal configuration.

Examples

CPU and memory utilization trends, network connection mapping, process monitoring, dependency discovery, performance baselines, capacity planning data.

Enterprise Use Case

IT operations use VM Insights for performance monitoring, troubleshooting application issues, capacity planning, dependency mapping, and maintaining optimal VM performance.

Diagram

VM Insights Monitoring Dashboard:
┌─────────────────────────────────────────────────────────┐
│                      VM INSIGHTS                        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 PERFORMANCE MONITORING                   🗺️ DEPENDENCY MAPPING
┌─────────────────────┐                    ┌─────────────────────┐
│ Key Metrics:        │                    │ Service Map:        │
│ • CPU utilization   │───►                │ • Process view      │
│ • Memory usage      │    │               │ • Connection mapping│
│ • Disk I/O          │    │               │ • Port details      │
│ • Network traffic   │    │               │ • Failed connections│
│                     │    │               │                     │
│ Trending Data:      │    ▼               │ Dependency Analysis:│
│ • Historical trends │ [LOG ANALYTICS]    │ • External services │
│ • Baseline comparison│ [WORKSPACE]       │ • Internal components│
│ • Anomaly detection │    │               │ • Load balancers    │
│                     │    │               │ • Security groups   │
│ Top Processes:      │    ▼               │                     │
│ • CPU consumers     │ [KUSTO QUERIES]    │ Change Tracking:    │
│ • Memory usage      │ [CUSTOM VIEWS]     │ • Process changes   │
│ • Disk activity     │                    │ • Service additions │
└─────────────────────┘                    │ • Configuration drift│
                                          └─────────────────────┘

Supported Platforms:
────────────────────
🪟 Windows VMs    - Performance counters, processes
🐧 Linux VMs      - Syslog, performance data
🔄 VM Scale Sets  - Aggregate performance across instances
☁️ Hybrid         - On-premises via Azure Arc

Study this concept interactively in the AZ-104 app →

Azure Advisor

Explanation

Azure Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry to provide recommendations across cost, security, reliability, operational excellence, and performance.

Examples

Right-sizing VMs, enabling backup, implementing security recommendations, cost optimization suggestions, performance improvements, high availability configurations.

Enterprise Use Case

Cloud architects and operations teams use Advisor to optimize costs, improve security posture, enhance reliability, and ensure they follow Azure best practices.

Diagram

Azure Advisor Recommendation Categories:
┌─────────────────────────────────────────────────────────┐
│                    AZURE ADVISOR                        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🎯 RECOMMENDATION PILLARS                   📊 ADVISOR DASHBOARD
┌─────────────────────┐                    ┌─────────────────────┐
│ 💰 Cost:            │                    │ Score Summary:      │
│ • Unused resources  │───►                │ • Overall score     │
│ • Right-sizing VMs  │    │               │ • Category breakdown│
│ • Reserved instances│    │               │ • Improvement trends│
│ • Storage tiers     │    │               │                     │
│                     │    │               │ Action Items:       │
│ 🔒 Security:        │    ▼               │ • High impact recs  │
│ • Enable MFA        │ [ANALYSIS]         │ • Quick wins        │
│ • Update OS         │ [ENGINE]           │ • Priority ranking  │
│ • Configure backup  │    │               │                     │
│                     │    │               │ Integration:        │
│ 🎯 Performance:     │    ▼               │ • Action groups     │
│ • Scale settings    │ [PERSONALIZED]     │ • Logic Apps        │
│ • CDN setup         │ [RECOMMENDATIONS]  │ • API access        │
│ • Networking        │                    │ • PowerBI reports   │
│                     │                    │                     │
│ 🔧 Operational:     │                    │ Tracking:           │
│ • Resource tagging  │                    │ • Implementation    │
│ • Monitoring setup  │                    │ • Impact measurement│
│ • Health checks     │                    │ • Progress reports  │
│                     │                    │                     │
│ 🛡️ Reliability:     │                    │ Notifications:      │
│ • Availability zones│                    │ • Email alerts      │
│ • Backup policies   │                    │ • Mobile app        │
│ • Disaster recovery │                    │ • RSS feeds         │
└─────────────────────┘                    └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Application Insights

Explanation

Application Insights is an extensible Application Performance Monitoring (APM) service for developers and DevOps professionals. It automatically detects performance anomalies, provides powerful analytics tools, and helps you continuously improve performance and usability.

Examples

Application performance monitoring, user behavior tracking, exception tracking, dependency monitoring, custom telemetry, availability testing, real user monitoring.

Enterprise Use Case

Development teams use Application Insights for performance optimization, debugging production issues, understanding user behavior, monitoring SLAs, and improving application reliability.

Diagram

Application Insights Monitoring Stack:
┌─────────────────────────────────────────────────────────┐
│                  APPLICATION INSIGHTS                   │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📱 APPLICATION TELEMETRY                    📊 ANALYTICS & INSIGHTS
┌─────────────────────┐                    ┌─────────────────────┐
│ Auto-collected:     │                    │ Performance:        │
│ • HTTP requests     │───►                │ • Response times    │
│ • Dependencies      │    │               │ • Throughput        │
│ • Exceptions        │    │               │ • Failure rates     │
│ • Performance       │    │               │ • Availability      │
│                     │    │               │                     │
│ Custom Telemetry:   │    ▼               │ User Analytics:     │
│ • Business events   │ [TELEMETRY]        │ • User flows        │
│ • Custom metrics    │ [PIPELINE]         │ • Retention cohorts │
│ • Log traces        │    │               │ • Feature usage     │
│                     │    │               │ • A/B testing       │
│ Infrastructure:     │    ▼               │                     │
│ • Server metrics    │ [INTELLIGENT]      │ Diagnostics:        │
│ • Browser timing    │ [DETECTION]        │ • Live metrics      │
│ • Mobile app data   │                    │ • Profiler          │
└─────────────────────┘                    │ • Snapshot debugger │
                                          │ • Search & analytics│
                                          └─────────────────────┘

Supported Platforms:
────────────────────
🌐 Web Apps      - .NET, Java, Node.js, Python
📱 Mobile Apps   - iOS, Android, React Native
🖥️ Desktop Apps  - Windows, macOS, Linux
☁️ Azure Services - App Service, Functions, AKS

Study this concept interactively in the AZ-104 app →

Azure Workbooks

Explanation

Azure Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal. They allow you to combine text, analytics queries, metrics, and parameters into interactive reports.

Examples

Performance reports, troubleshooting guides, usage analytics, security dashboards, capacity planning reports, incident post-mortems, executive summaries.

Enterprise Use Case

Operations teams create workbooks for standardized reporting, executives use them for business insights, and developers use them for application performance analysis and troubleshooting guides.

Diagram

Azure Workbooks Components:
┌─────────────────────────────────────────────────────────┐
│                    AZURE WORKBOOKS                      │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📝 WORKBOOK ELEMENTS                        🎨 VISUALIZATION OPTIONS
┌─────────────────────┐                    ┌─────────────────────┐
│ Text Sections:      │                    │ Charts & Graphs:    │
│ • Markdown content  │───►                │ • Line charts       │
│ • Instructions      │    │               │ • Bar charts        │
│ • Documentation     │    │               │ • Pie charts        │
│                     │    │               │ • Area charts       │
│ Query Sections:     │    │               │                     │
│ • KQL queries       │    ▼               │ Grids & Tables:     │
│ • Metrics queries   │ [INTERACTIVE]      │ • Data tables       │
│ • Resource data     │ [CANVAS]           │ • Summary grids     │
│                     │    │               │ • Pivot tables      │
│ Parameters:         │    │               │                     │
│ • Time ranges       │    ▼               │ Maps & Tiles:       │
│ • Resource filters  │ [REAL-TIME]        │ • Geographic maps   │
│ • Custom inputs     │ [UPDATES]          │ • Heat maps         │
│                     │                    │ • Metric tiles      │
│ Links & Actions:    │                    │                     │
│ • Navigation        │                    │ Custom Components:  │
│ • Deep links        │                    │ • JSON viewers      │
│ • Export options    │                    │ • Resource pickers  │
└─────────────────────┘                    │ • Alert summaries   │
                                          └─────────────────────┘

Workbook Templates:
───────────────────
📊 Performance - VM, application, network performance
🔒 Security    - Security center, sentinel insights  
💰 Cost       - Usage analysis, budget tracking
📱 Usage      - Application usage, feature adoption
🛠️ Troubleshooting - Step-by-step diagnostic guides

Study this concept interactively in the AZ-104 app →

Azure Dashboards

Explanation

Azure Dashboards provide a customizable view into your Azure resources through the Azure portal. They allow you to create focused views of your most important metrics, logs, and resource information in a single location.

Examples

Executive dashboards, operational views, service health monitoring, cost tracking, security status, application performance, infrastructure monitoring.

Enterprise Use Case

Operations teams use dashboards for centralized monitoring, executives use them for business metrics, and development teams use them for application health monitoring.

Diagram

Azure Dashboard Layout:
┌─────────────────────────────────────────────────────────┐
│                   AZURE DASHBOARD                       │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🎛️ DASHBOARD TILES                          ⚙️ CONFIGURATION
┌─────────────────────┐                    ┌─────────────────────┐
│ Metrics Tiles:      │                    │ Tile Management:    │
│ • Real-time charts  │───►                │ • Resize & position │
│ • Performance KPIs  │    │               │ • Add/remove tiles  │
│ • Resource health   │    │               │ • Configure queries │
│                     │    │               │                     │
│ Log Tiles:          │    │               │ Sharing Options:    │
│ • KQL query results │    ▼               │ • Public sharing    │
│ • Custom searches   │ [DASHBOARD]        │ • Role-based access │
│ • Alert summaries   │ [LAYOUT]           │ • Organization wide │
│                     │    │               │                     │
│ Resource Tiles:     │    │               │ Export & Import:    │
│ • Resource lists    │    ▼               │ • JSON templates    │
│ • Resource maps     │ [AUTO-REFRESH]     │ • ARM deployments   │
│ • Status overviews  │ [REAL-TIME]        │ • Gallery sharing   │
│                     │                    │                     │
│ Custom Tiles:       │                    │ Mobile Access:      │
│ • Markdown content  │                    │ • Azure mobile app  │
│ • Web content       │                    │ • Responsive design │
│ • Image tiles       │                    │ • Touch-friendly    │
└─────────────────────┘                    └─────────────────────┘

Dashboard Types:
────────────────
📊 Shared     - Organization-wide visibility
👤 Private    - Personal monitoring views
🏢 Template   - Standardized layouts for teams
🌐 Public     - External stakeholder access

Study this concept interactively in the AZ-104 app →

Azure Service Health

Explanation

Azure Service Health provides personalized alerts and guidance when Azure service issues affect your resources. It tracks three types of health events: service issues, planned maintenance, and health advisories.

Examples

Service outage notifications, planned maintenance schedules, security advisories, performance degradation alerts, regional service status, resource-specific health events.

Enterprise Use Case

Operations teams use Service Health for proactive incident management, business continuity planning, communication with stakeholders, and SLA monitoring.

Diagram

Azure Service Health Components:
┌─────────────────────────────────────────────────────────┐
│                  AZURE SERVICE HEALTH                   │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🏥 HEALTH EVENTS                            📱 NOTIFICATIONS & ACTIONS
┌─────────────────────┐                    ┌─────────────────────┐
│ Service Issues:     │                    │ Alert Configuration:│
│ • Current outages   │───►                │ • Email notifications│
│ • Performance issues│    │               │ • SMS alerts        │
│ • Regional problems │    │               │ • Webhook integration│
│                     │    │               │ • Mobile app push   │
│ Planned Maintenance:│    │               │                     │
│ • Scheduled updates │    ▼               │ Action Groups:      │
│ • Maintenance windows│ [FILTERED BY]     │ • ITSM connectors   │
│ • Impact assessment │ [YOUR RESOURCES]   │ • Logic Apps        │
│                     │    │               │ • Azure Functions   │
│ Health Advisories:  │    │               │                     │
│ • Security updates  │    ▼               │ Historical Data:    │
│ • Feature changes   │ [PERSONALIZED]     │ • Past incidents    │
│ • Best practices    │ [ALERTS]           │ • Trend analysis    │
└─────────────────────┘                    │ • Impact reports    │
                                          │ • RCA documents     │
                                          └─────────────────────┘

Service Health Views:
─────────────────────
🌍 Service Issues    - Global Azure service status
📅 Planned Maintenance - Upcoming maintenance events  
📋 Health Advisories  - Security and feature updates
📊 Health History     - Past events and their impact
🎯 Resource Health    - Individual resource status

Study this concept interactively in the AZ-104 app →

Azure Network Watcher

Explanation

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. It helps with connectivity monitoring, network security analysis, and performance optimization.

Examples

IP flow verification, network topology visualization, connection troubleshooting, packet capture, VPN diagnostics, NSG flow logs analysis.

Enterprise Use Case

Network administrators use Network Watcher for troubleshooting connectivity issues, security analysis, compliance verification, and network performance optimization.

Diagram

Azure Network Watcher - Comprehensive Network Diagnostics & Monitoring Platform:
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                           🕵️ NETWORK WATCHER DIAGNOSTIC ECOSYSTEM                     │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│        🔍 CONNECTIVITY DIAGNOSTICS      │    │         📊 NETWORK MONITORING           │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ IP Flow Verify                          │    │ Connection Monitor                      │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🎯 Test Scenario                    │ │    │ │ 🔄 Continuous Monitoring            │ │
│ │ • Source: VM-Web-01 (10.1.1.10)    │ │    │ │ • Source: Azure VMs                 │ │
│ │ • Destination: VM-DB-01 (10.1.2.10) │ │    │ │ • Destination: Any endpoint         │ │
│ │ • Protocol: TCP                     │ │    │ │ • Frequency: Every 30s-10min        │ │
│ │ • Port: 1433 (SQL Server)           │ │    │ │ • Alerting: Threshold-based         │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
│ 📋 Analysis Result                      │    │                                         │
│ ┌─────────────────────────────────────┐ │    │ Network Topology Visualization          │
│ │ ✅ Access: Allowed                   │ │    │ ┌─────────────────────────────────────┐ │
│ │ 📜 NSG Rule: AllowSQLInbound-1000   │ │    │ │ 🗺️ Interactive Network Map         │ │
│ │ 🛡️ Rule Action: Allow               │ │    │ │ • VNets and subnets visualization  │ │
│ │ 🎯 Rule Priority: 1000              │ │    │ │ • Resource dependencies            │ │
│ │ 📍 Traffic Direction: Inbound       │ │    │ │ • Security group associations      │ │
│ │ 🔗 Next Hop: VM-DB-01               │ │    │ │ • Route table visualization        │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
│                                         │    │                                         │
│ Connectivity Troubleshooter             │    │ Traffic Analytics (AI-Enhanced)         │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🕵️ End-to-End Path Analysis        │ │    │ │ 🧠 Machine Learning Insights        │ │
│ │ • Source validation                 │ │    │ │ • Anomaly detection                 │ │
│ │ • Network path tracing              │ │    │ │ • Security threat analysis          │ │
│ │ • Firewall rule evaluation          │ │    │ │ • Performance optimization hints    │ │
│ │ • Route table analysis              │ │    │ │ • Geo-mapping of traffic flows      │ │
│ │ • NSG effective rules               │ │    │ │ • Top talkers identification        │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
└─────────────────────────────────────────┘    └─────────────────────────────────────────┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            📦 PACKET CAPTURE & DEEP ANALYSIS                          │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Packet Capture Configuration                                                         │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🎯 Capture Target                                                               │ │
│ │ • Virtual Machine: VM-Web-01                                                    │ │
│ │ • Network Interface: vm-web-01-nic                                              │ │
│ │ • Storage Account: networkwatcherlogs                                           │ │
│ │                                                                                 │ │
│ │ 📋 Capture Filters                                                             │ │
│ │ • Protocol: TCP                          • Local IP: 10.1.1.10               │ │
│ │ • Local Port: Any                        • Remote IP: Any                      │ │
│ │ • Remote Port: 80, 443                   • Maximum bytes per packet: 1500     │ │
│ │ • Maximum bytes per session: 1GB         • Time limit: 18000 seconds          │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Packet Analysis Workflow                                                              │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │                                                                                 │ │
│ │ Step 1: Capture Initiation   Step 2: Real-time Analysis    Step 3: Download    │ │
│ │ ┌───────────────────┐        ┌───────────────────┐         ┌─────────────────┐ │ │
│ │ │ 🎬 Start Capture   │──────▶ │ 📊 Live Statistics │───────▶ │ 💾 Save .cap    │ │ │
│ │ │ • Agent deployment │        │ • Packet count     │         │ • Wireshark     │ │ │
│ │ │ • Filter application│       │ • Protocol breakdown│        │ • Local analysis│ │ │
│ │ │ • Storage allocation│       │ • Error detection   │         │ • Forensics     │ │ │
│ │ └───────────────────┘        └───────────────────┘         └─────────────────┘ │ │
│ │                                       │                                         │ │
│ │                              Step 4: Advanced Analysis                          │ │
│ │                              ┌───────────────────────────┐                     │ │
│ │                              │ 🔬 Protocol Deep Dive     │                     │ │
│ │                              │ • HTTP request/response   │                     │ │
│ │                              │ • TLS handshake analysis  │                     │ │
│ │                              │ • TCP connection tracking │                     │ │
│ │                              │ • Performance metrics     │                     │ │
│ │                              └───────────────────────────┘                     │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              🔐 NSG FLOW LOGS & SECURITY ANALYSIS                     │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Flow Log Configuration & Processing Pipeline                                          │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │                                                                                 │ │
│ │ NSG Flow Logs v2                          Traffic Analytics Integration          │ │
│ │ ┌─────────────────────────────────┐      ┌─────────────────────────────────────┐ │ │
│ │ │ 📋 Flow Record Structure        │      │ 🧠 Analytics Processing            │ │ │
│ │ │ • Timestamp: 2024-01-15 10:30   │      │ • Log Analytics Workspace          │ │ │
│ │ │ • Source IP: 10.1.1.10          │──────▶ • AI/ML anomaly detection          │ │ │
│ │ │ • Destination IP: 52.168.1.50   │      │ • Security threat correlation      │ │ │
│ │ │ • Source Port: 45123            │      │ • Geo-location mapping             │ │ │
│ │ │ • Destination Port: 443         │      │ • Performance trend analysis       │ │ │
│ │ │ • Protocol: TCP                 │      │ • Custom KQL queries               │ │ │
│ │ │ • Traffic Direction: Outbound   │      └─────────────────────────────────────┘ │ │
│ │ │ • Action: Allow                 │                                              │ │
│ │ │ • Flow State: Begin/Continue/End│      Security Insights Dashboard             │ │
│ │ └─────────────────────────────────┘      ┌─────────────────────────────────────┐ │ │
│ │                                          │ 🚨 Threat Detection                │ │ │
│ │ Storage Configuration                    │ • Malicious IP detection           │ │ │
│ │ ┌─────────────────────────────────┐      │ • Port scanning alerts             │ │ │
│ │ │ 💾 Azure Storage Account        │      │ • DDoS pattern recognition          │ │ │
│ │ │ • Hot tier for recent logs      │      │ • Data exfiltration indicators     │ │ │
│ │ │ • Cool tier for archival        │      │ • Compliance violation reports     │ │ │
│ │ │ • Retention: 30-365 days        │      │ • Security posture scoring         │ │ │
│ │ │ • Format: JSON                  │      └─────────────────────────────────────┘ │ │
│ │ └─────────────────────────────────┘                                              │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                             🚀 VPN DIAGNOSTICS & PERFORMANCE ANALYSIS                │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ VPN Gateway Troubleshooting Matrix                                                   │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ Diagnostic Category      │ Test Scenarios                  │ Analysis Output      │ │
│ │ ══════════════════════  │ ══════════════════════════════ │ ══════════════════   │ │
│ │ 🔗 Connectivity         │ Site-to-Site tunnel status     │ ✅ UP / ❌ DOWN       │ │
│ │                         │ Point-to-Site client count     │ Active: 45/128       │ │
│ │                         │ Gateway health check           │ Health: 99.9% uptime │ │
│ │                         │                                │                      │ │
│ │ ⚡ Performance          │ Bandwidth utilization          │ Current: 450 Mbps    │ │
│ │                         │ Latency measurement            │ Average: 23ms        │ │
│ │                         │ Packet loss analysis           │ Loss rate: 0.01%     │ │
│ │                         │                                │                      │ │
│ │ 🔐 Security             │ IPsec tunnel encryption        │ AES-256/SHA-256      │ │
│ │                         │ Certificate validation         │ Valid until 2025     │ │
│ │                         │ Authentication method          │ Pre-shared key       │ │
│ │                         │                                │                      │ │
│ │ 🛠️ Configuration        │ BGP routing convergence        │ Routes: 245 learned  │ │
│ │                         │ Local network gateway config   │ Status: Configured   │ │
│ │                         │ Address space overlap check    │ No conflicts found   │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Automated Diagnostics Workflow                                                       │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1️⃣ Issue Detection        2️⃣ Root Cause Analysis     3️⃣ Resolution Guidance    │ │
│ │ ┌───────────────────┐      ┌───────────────────┐      ┌───────────────────────┐ │ │
│ │ │ 🚨 Alert Triggers  │──────▶ │ 🔍 Deep Diagnosis  │──────▶ │ 📋 Action Items      │ │ │
│ │ │ • Connection drops │      │ • Config validation │      │ • Update shared key   │ │ │
│ │ │ • High latency     │      │ • Routing analysis  │      │ • Adjust BGP settings │ │ │
│ │ │ • Auth failures    │      │ • Certificate check │      │ • Renew certificates  │ │ │
│ │ │ • Bandwidth spikes │      │ • Performance test  │      │ • Upgrade gateway SKU │ │ │
│ │ └───────────────────┘      └───────────────────┘      └───────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            🎛️ DEPLOYMENT & INTEGRATION WORKFLOWS                      │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Network Watcher Enablement & Configuration                                           │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1️⃣ Enable Network Watcher                                                       │ │
│ │ az network watcher configure \                                                  │ │
│ │   --resource-group NetworkWatcherRG \                                           │ │
│ │   --location eastus \                                                           │ │
│ │   --enabled true                                                                 │ │
│ │                                                                                 │ │
│ │ 2️⃣ Configure Flow Logs                                                          │ │
│ │ az network watcher flow-log create \                                            │ │
│ │   --resource-group myResourceGroup \                                            │ │
│ │   --name myFlowLog \                                                            │ │
│ │   --nsg myNetworkSecurityGroup \                                                │ │
│ │   --storage-account myStorageAccount \                                          │ │
│ │   --log-analytics-workspace myWorkspace \                                       │ │
│ │   --retention 30 \                                                              │ │
│ │   --format JSON                                                                 │ │
│ │                                                                                 │ │
│ │ 3️⃣ Setup Connection Monitor                                                     │ │
│ │ az network watcher connection-monitor create \                                  │ │
│ │   --name myConnectionMonitor \                                                  │ │
│ │   --source-resource vm-web-01 \                                                 │ │
│ │   --dest-address 10.1.2.10 \                                                   │ │
│ │   --dest-port 1433 \                                                           │ │
│ │   --test-frequency 30                                                           │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Integration with Azure Monitor & Security Center                                      │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 📊 Azure Monitor Integration                                                    │ │
│ │ • Custom dashboards with Network Watcher metrics                               │ │
│ │ • Automated alerting based on connectivity tests                                │ │
│ │ • Log Analytics workspace correlation                                           │ │
│ │ • Application Insights network dependency mapping                               │ │
│ │                                                                                 │ │
│ │ 🛡️ Security Center Correlation                                                │ │
│ │ • Network security recommendations                                              │ │
│ │ • Threat detection and response automation                                      │ │
│ │ • Compliance reporting integration                                              │ │
│ │ • Security score impact analysis                                                │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Connection Monitor

Explanation

Connection Monitor provides unified end-to-end connection monitoring in Azure Network Watcher. It monitors connectivity between Azure VMs, on-premises machines, and service endpoints with continuous testing and alerting.

Examples

Monitoring VM-to-VM connectivity, testing internet access, verifying on-premises connections, service endpoint reachability, multi-path network testing.

Enterprise Use Case

Network operations teams use Connection Monitor for proactive connectivity monitoring, SLA verification, network performance baseline establishment, and early detection of connectivity issues.

Diagram

Connection Monitor Architecture:
┌─────────────────────────────────────────────────────────┐
│                  CONNECTION MONITOR                     │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🎯 MONITORING TARGETS                       📊 METRICS & ANALYSIS
┌─────────────────────┐                    ┌─────────────────────┐
│ Source Endpoints:   │                    │ Key Metrics:        │
│ • Azure VMs         │───►                │ • Reachability %    │
│ • On-premises VMs   │    │               │ • Round trip time   │
│ • Azure services    │    │               │ • Jitter            │
│                     │    │               │ • Packet loss       │
│ Destination Types:  │    │               │                     │
│ • IP addresses      │    ▼               │ Test Configuration: │
│ • FQDNs             │ [TEST TRAFFIC]     │ • Test frequency    │
│ • Service endpoints │ [CONTINUOUS]       │ • Protocol (TCP/HTTP)│
│ • External services │    │               │ • Port specification│
│                     │    │               │                     │
│ Test Paths:         │    ▼               │ Alerting:           │
│ • Direct routes     │ [ANALYSIS]         │ • Threshold-based   │
│ • Multi-hop paths   │ [ENGINE]           │ • Custom conditions │
│ • Load balancer     │                    │ • Action groups     │
└─────────────────────┘                    │ • Notification rules│
                                          └─────────────────────┘

Monitoring Capabilities:
────────────────────────
⏰ Continuous Testing - Regular connectivity checks
📈 Historical Data    - Long-term trend analysis  
🗺️ Network Topology   - Visual connection mapping
🚨 Real-time Alerts   - Immediate failure notification
📊 Custom Dashboards  - Tailored monitoring views

Study this concept interactively in the AZ-104 app →

Recovery Services Vault

Explanation

Recovery Services Vault is a storage entity in Azure that stores backup data and recovery points. It provides centralized management for backup and disaster recovery operations with policy-based backup scheduling and retention.

Examples

VM backup storage, file share backup retention, cross-region replication, backup policy management, disaster recovery orchestration, compliance reporting.

Enterprise Use Case

IT operations use Recovery Services Vault for centralized data protection, meeting compliance requirements, disaster recovery planning, and cost-effective long-term data retention.

Diagram

Recovery Services Vault Components:
┌─────────────────────────────────────────────────────────┐
│                RECOVERY SERVICES VAULT                  │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🗄️ VAULT STORAGE                           ⚙️ VAULT CONFIGURATION
┌─────────────────────┐                    ┌─────────────────────┐
│ Backup Data:        │                    │ Storage Settings:   │
│ • VM snapshots      │───►                │ • Redundancy type   │
│ • File backups      │    │               │ • LRS/GRS/ZRS      │
│ • Database backups  │    │               │ • Cross-region      │
│ • Archive data      │    │               │ • Security features │
│                     │    │               │                     │
│ Retention Policies: │    ▼               │ Access Control:     │
│ • Daily backups     │ [POLICY-BASED]     │ • RBAC roles        │
│ • Weekly retention  │ [MANAGEMENT]       │ • Backup operators  │
│ • Monthly archives  │    │               │ • Security admins   │
│ • Yearly retention  │    │               │                     │
│                     │    ▼               │ Monitoring:         │
│ Recovery Points:    │ [CENTRALIZED]      │ • Backup jobs       │
│ • Application-consistent│ [CONTROL]      │ • Alert rules       │
│ • Crash-consistent  │                    │ • Usage reports     │
│ • Point-in-time     │                    │ • Cost analysis     │
└─────────────────────┘                    └─────────────────────┘

Vault Features:
───────────────
🔐 Security      - Encryption, access control, soft delete
⚡ Performance   - Parallel backup, fast restore
📊 Monitoring    - Jobs, alerts, reports, analytics
🌍 Geo-redundancy - Cross-region data protection
💰 Cost Control  - Tiered storage, lifecycle policies
🔄 Integration   - Azure Site Recovery, Azure Monitor

Study this concept interactively in the AZ-104 app →

Azure Site Recovery (ASR)

Explanation

Azure Site Recovery orchestrates and manages disaster recovery for Azure VMs, on-premises VMs, and physical servers. It replicates workloads running on primary machines to a secondary location and provides automated failover and failback capabilities.

Examples

VM disaster recovery, on-premises to Azure migration, Azure region-to-region replication, application failover testing, business continuity planning.

Enterprise Use Case

Organizations use ASR for business continuity, disaster recovery, cloud migration, and minimizing downtime during planned and unplanned outages.

Diagram

Azure Site Recovery Workflow:
┌─────────────────────────────────────────────────────────┐
│                  AZURE SITE RECOVERY                    │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🏢 PRIMARY SITE                             🌩️ RECOVERY SITE
┌─────────────────────┐                    ┌─────────────────────┐
│ Protected Workloads:│                    │ Replicated Data:    │
│ • Azure VMs         │───►                │ • VM replicas       │
│ • Hyper-V VMs       │    │               │ • Synchronized data │
│ • VMware VMs        │    │               │ • Recovery points   │
│ • Physical servers  │    │               │                     │
│                     │    │               │ Recovery Services:  │
│ Replication:        │    ▼               │ • Automated failover│
│ • Continuous sync   │ [SECURE]           │ • Network mapping   │
│ • Incremental data  │ [REPLICATION]      │ • IP preservation   │
│ • Application-aware │    │               │ • DNS updates       │
│                     │    │               │                     │
│ Monitoring:         │    ▼               │ Testing:            │
│ • Replication health│ [RECOVERY]         │ • Test failover     │
│ • RPO tracking      │ [SERVICES VAULT]   │ • DR drills         │
│ • Alert management  │                    │ • Compliance checks │
└─────────────────────┘                    └─────────────────────┘

DR Scenarios:
─────────────
🔄 Azure to Azure      - Region-to-region protection
🏢 On-premises to Azure - Cloud-based DR solution  
🌐 Multi-site           - Complex hybrid scenarios
⚡ Migration           - Lift-and-shift to Azure
🧪 Test Environment    - Non-disruptive DR testing

Study this concept interactively in the AZ-104 app →

Log Analytics Workspaces

Explanation

Log Analytics Workspaces are containers for data collected by Azure Monitor. Each workspace has its own data repository and configuration, and data sources and solutions configure themselves to store their data in a particular workspace.

Examples

Creating workspaces for different environments (dev/prod), separating data by department, configuring data retention policies, managing access permissions, cross-workspace queries.

Enterprise Use Case

Organizations use multiple workspaces to separate data for security, compliance, billing, or organizational boundaries while maintaining centralized monitoring capabilities.

Diagram

Log Analytics Workspace Architecture:
┌─────────────────────────────────────────────────────────┐
│                LOG ANALYTICS WORKSPACE                  │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 DATA COLLECTION                          ⚙️ WORKSPACE MANAGEMENT
┌─────────────────────┐                    ┌─────────────────────┐
│ Data Sources:       │                    │ Configuration:      │
│ • Azure VMs         │───►                │ • Data retention    │
│ • Azure services    │    │               │ • Pricing tier      │
│ • Applications      │    │               │ • Access control    │
│ • Custom data       │    │               │ • Location settings │
│                     │    │               │                     │
│ Agent Collection:   │    ▼               │ Data Management:    │
│ • MMA/AMA agents    │ [WORKSPACE]        │ • Table schemas     │
│ • Diagnostic logs   │ [DATA STORE]       │ • Data export       │
│ • Syslog data       │    │               │ • Backup policies   │
│                     │    │               │                     │
│ Integration:        │    ▼               │ Querying:           │
│ • Azure Monitor     │ [RETENTION]        │ • KQL queries       │
│ • Security Center   │ [30-730 DAYS]      │ • Saved searches    │
│ • Sentinel          │                    │ • Cross-workspace   │
└─────────────────────┘                    └─────────────────────┘

Workspace Benefits:
───────────────────
🔐 Security    - Role-based access control
📊 Scale       - Handle massive data volumes
🌍 Global      - Deploy in multiple regions
💰 Cost        - Flexible pricing tiers
🔍 Query       - Advanced KQL capabilities

Study this concept interactively in the AZ-104 app →

Advanced Monitoring Tools

Explanation

Azure provides a comprehensive suite of advanced monitoring tools that work together to provide deep insights into application performance, infrastructure health, user behavior, and business metrics through integrated dashboards and analytics.

Examples

Performance troubleshooting with Application Insights, cost optimization with Azure Advisor, executive reporting with Workbooks, real-time dashboards, service health monitoring.

Enterprise Use Case

Enterprise teams use these tools collectively for comprehensive monitoring strategies, from technical performance metrics to business intelligence and strategic decision-making.

Diagram

Advanced Monitoring Tools Ecosystem:
┌─────────────────────────────────────────────────────────┐
│               ADVANCED MONITORING TOOLS                 │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🎯 SPECIALIZED MONITORING                   📊 REPORTING & VISUALIZATION
┌─────────────────────┐                    ┌─────────────────────┐
│ Azure Advisor:      │                    │ Azure Workbooks:    │
│ • Best practices    │───►                │ • Interactive reports│
│ • Cost optimization │    │               │ • Custom analytics  │
│ • Security insights │    │               │ • Executive dashboards│
│ • Performance tips  │    │               │                     │
│                     │    │               │ Azure Dashboards:   │
│ Application Insights:│    ▼               │ • Real-time metrics │
│ • APM monitoring    │ [INSIGHTS]         │ • Resource status   │
│ • User analytics    │ [GENERATION]       │ • Custom views      │
│ • Dependency maps   │    │               │                     │
│                     │    │               │ Service Health:     │
│ VM Insights:        │    ▼               │ • Service status    │
│ • Performance data  │ [ACTIONABLE]       │ • Planned maintenance│
│ • Process monitoring│ [RECOMMENDATIONS]  │ • Health advisories │
│ • Dependency view   │                    │ • Impact analysis   │
└─────────────────────┘                    └─────────────────────┘

Tool Integration:
─────────────────
🔄 Data Flow    - Seamless data sharing between tools
📈 Correlation  - Cross-tool insights and analysis
🚨 Alerting     - Unified notification system
📱 Mobile       - Access insights anywhere

Study this concept interactively in the AZ-104 app →

Monitor Networking

Explanation

Azure network monitoring provides comprehensive visibility into network performance, connectivity, security, and troubleshooting across virtual networks, hybrid connections, and internet-facing services with real-time insights and historical analysis.

Examples

Connection monitoring between VMs, VPN performance tracking, NSG flow analysis, bandwidth utilization monitoring, security threat detection, network topology visualization.

Enterprise Use Case

Network operations teams use these tools for proactive network management, security monitoring, performance optimization, and rapid troubleshooting of connectivity issues.

Diagram

Network Monitoring Comprehensive View:
┌─────────────────────────────────────────────────────────┐
│                  NETWORK MONITORING                     │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🌐 CONNECTIVITY MONITORING                  🔍 ANALYSIS & INSIGHTS
┌─────────────────────┐                    ┌─────────────────────┐
│ Connection Monitor: │                    │ Traffic Analytics:  │
│ • End-to-end tests  │───►                │ • Flow patterns     │
│ • Latency tracking  │    │               │ • Security insights │
│ • Reachability      │    │               │ • Anomaly detection │
│ • Multi-path        │    │               │                     │
│                     │    │               │ Network Topology:   │
│ Network Watcher:    │    ▼               │ • Visual mapping    │
│ • Packet capture    │ [MONITORING]       │ • Dependency view   │
│ • Flow logs         │ [DATA]             │ • Resource health   │
│ • IP flow verify    │    │               │                     │
│                     │    │               │ Performance Metrics:│
│ ExpressRoute:       │    ▼               │ • Bandwidth usage   │
│ • Circuit monitoring│ [REAL-TIME]        │ • Packet loss       │
│ • BGP diagnostics   │ [ANALYSIS]         │ • Latency trends    │
│ • Gateway health    │                    │ • Error rates       │
└─────────────────────┘                    └─────────────────────┘

Monitoring Scope:
─────────────────
🌍 Global      - Multi-region network visibility
🔒 Security    - Threat detection and analysis
📊 Performance - Bandwidth and latency monitoring
🛠️ Diagnostic  - Root cause analysis tools

Study this concept interactively in the AZ-104 app →

NSG Flow Logs

Explanation

Network Security Group (NSG) Flow Logs capture information about IP traffic flowing through NSGs. They provide detailed insights into network traffic patterns, security analysis, and compliance monitoring with rich metadata about each connection.

Examples

Security threat analysis, traffic pattern identification, compliance auditing, network forensics, bandwidth utilization tracking, unauthorized access detection.

Enterprise Use Case

Security teams use NSG Flow Logs for threat hunting, compliance reporting, network forensics, and understanding traffic patterns for capacity planning and security optimization.

Diagram

NSG Flow Logs Architecture:
┌─────────────────────────────────────────────────────────┐
│                    NSG FLOW LOGS                        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 DATA CAPTURE                             🔍 ANALYSIS & INSIGHTS
┌─────────────────────┐                    ┌─────────────────────┐
│ Traffic Information:│                    │ Traffic Analytics:  │
│ • Source/Dest IPs   │───►                │ • Flow patterns     │
│ • Port numbers      │    │               │ • Top talkers       │
│ • Protocol details  │    │               │ • Geo mapping       │
│ • Traffic volume    │    │               │ • Threat intelligence│
│                     │    │               │                     │
│ NSG Rule Details:   │    ▼               │ Security Analysis:  │
│ • Allow/Deny        │ [STORAGE]          │ • Malicious IPs     │
│ • Rule triggered    │ [ACCOUNT]          │ • Port scanning     │
│ • Direction         │    │               │ • DDoS detection    │
│                     │    │               │                     │
│ Metadata:           │    ▼               │ Compliance:         │
│ • Timestamps        │ [LOG ANALYTICS]    │ • Audit trails      │
│ • MAC addresses     │ [WORKSPACE]        │ • Data retention    │
│ • Flow state        │                    │ • Export capabilities│
└─────────────────────┘                    └─────────────────────┘

Log Formats:
────────────
📋 Version 1  - Basic flow information
📊 Version 2  - Enhanced with flow state and byte/packet counts
🔍 JSON       - Structured format for automated processing
📈 Analytics  - Direct integration with monitoring tools

Study this concept interactively in the AZ-104 app →

Azure Backup Policies

Explanation

Azure Backup Policies define when backups are taken, how long they are retained, and what type of backup is performed. Policies provide consistent, automated backup management across different resource types with customizable retention rules.

Examples

Daily VM backups with weekly retention, monthly archival policies, differential backup strategies, geo-redundant backup policies, application-consistent snapshots.

Enterprise Use Case

IT operations use backup policies to ensure consistent data protection, meet compliance requirements, optimize storage costs, and automate backup management across enterprise environments.

Diagram

Azure Backup Policy Configuration:
┌─────────────────────────────────────────────────────────┐
│                   BACKUP POLICIES                       │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
⏰ SCHEDULE CONFIGURATION                   📊 RETENTION MANAGEMENT
┌─────────────────────┐                    ┌─────────────────────┐
│ Backup Frequency:   │                    │ Retention Rules:    │
│ • Daily backups     │───►                │ • Daily: 30 days    │
│ • Weekly backups    │    │               │ • Weekly: 12 weeks  │
│ • Monthly backups   │    │               │ • Monthly: 12 months│
│ • Custom schedules  │    │               │ • Yearly: 10 years  │
│                     │    │               │                     │
│ Backup Windows:     │    ▼               │ Storage Tiers:      │
│ • Time zone settings│ [POLICY]           │ • Standard storage  │
│ • Maintenance hours │ [ENGINE]           │ • Archive tier      │
│ • Business hours    │    │               │ • Cool storage      │
│                     │    │               │                     │
│ Backup Types:       │    ▼               │ Compliance:         │
│ • Full backups      │ [AUTOMATED]        │ • Legal hold        │
│ • Incremental       │ [EXECUTION]        │ • Immutable backups │
│ • Differential      │                    │ • Audit trails      │
└─────────────────────┘                    └─────────────────────┘

Policy Types:
─────────────
🖥️ VM Policy      - Virtual machine backup policies
📁 File Policy    - Azure Files backup configuration
💾 SQL Policy     - Database-specific backup rules
🌐 Multi-tier     - Complex retention strategies

Study this concept interactively in the AZ-104 app →

Azure Backup Reports

Explanation

Azure Backup Reports provide comprehensive analytics and insights into backup operations, storage consumption, policy compliance, and operational efficiency. They offer centralized visibility across all backup operations with customizable dashboards.

Examples

Backup success/failure analysis, storage consumption trends, compliance reporting, cost optimization insights, backup job duration analysis, recovery point objectives monitoring.

Enterprise Use Case

Backup administrators and management teams use reports for operational oversight, capacity planning, compliance auditing, cost optimization, and backup strategy refinement.

Diagram

Azure Backup Reports Dashboard:
┌─────────────────────────────────────────────────────────┐
│                   BACKUP REPORTS                        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 OPERATIONAL METRICS                      💰 COST & STORAGE ANALYSIS
┌─────────────────────┐                    ┌─────────────────────┐
│ Job Performance:    │                    │ Storage Consumption:│
│ • Success rates     │───►                │ • Total backup size │
│ • Failure analysis  │    │               │ • Growth trends     │
│ • Duration trends   │    │               │ • Storage tiers     │
│ • Recovery times    │    │               │ • Geo-redundancy    │
│                     │    │               │                     │
│ Compliance Status:  │    ▼               │ Cost Optimization:  │
│ • Policy adherence  │ [ANALYTICS]        │ • Pricing breakdown │
│ • Backup coverage   │ [ENGINE]           │ • Unused resources  │
│ • Missing backups   │    │               │ • Tier recommendations│
│                     │    │               │                     │
│ Health Monitoring:  │    ▼               │ Capacity Planning:  │
│ • Alert summaries   │ [INSIGHTS]         │ • Growth projections│
│ • Infrastructure    │ [GENERATION]       │ • Resource planning │
│ • Service health    │                    │ • Budget forecasts  │
└─────────────────────┘                    └─────────────────────┘

Report Features:
────────────────
📈 Interactive  - Drill-down capabilities and filtering
🔄 Scheduled    - Automated report generation and delivery
📧 Distribution - Email reports to stakeholders
📊 Custom       - Configurable dashboards and metrics

Study this concept interactively in the AZ-104 app →

Cost and Maintenance Management

Explanation

Azure Cost and Maintenance Management encompasses strategies, tools, and processes for optimizing cloud spending, maintaining resource efficiency, and ensuring sustainable operations through automated monitoring, alerts, and cleanup procedures.

Examples

Budget alerts for cost control, automated resource cleanup, maintenance scheduling, cost analysis dashboards, spending optimization recommendations, resource rightsizing.

Enterprise Use Case

Finance and operations teams use these tools for budget management, cost optimization, resource lifecycle management, and maintaining operational efficiency while controlling cloud spending.

Diagram

Cost and Maintenance Management Framework:
┌─────────────────────────────────────────────────────────┐
│               COST & MAINTENANCE MANAGEMENT             │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
💰 COST CONTROL                             🛠️ MAINTENANCE OPERATIONS
┌─────────────────────┐                    ┌─────────────────────┐
│ Budget Management:  │                    │ Resource Lifecycle: │
│ • Spending alerts   │───►                │ • Automated cleanup │
│ • Budget forecasts  │    │               │ • Maintenance windows│
│ • Cost thresholds   │    │               │ • Update scheduling │
│ • Department billing│    │               │ • Patch management  │
│                     │    │               │                     │
│ Cost Analysis:      │    ▼               │ Operational Tools:  │
│ • Usage trends      │ [MONITORING]       │ • PowerShell scripts│
│ • Service breakdown │ [SYSTEM]           │ • ARM templates     │
│ • Optimization tips │    │               │ • Automation runbooks│
│                     │    │               │ • Infrastructure code│
│ Financial Controls: │    ▼               │                     │
│ • Spending limits   │ [AUTOMATED]        │ Compliance:         │
│ • Approval workflows│ [RESPONSES]        │ • Policy enforcement│
│ • Resource tagging  │                    │ • Standards adherence│
│ • Chargeback reports│                    │ • Audit preparation │
└─────────────────────┘                    └─────────────────────┘

Management Pillars:
───────────────────
📊 Visibility   - Complete cost and resource visibility
🤖 Automation   - Automated responses and maintenance
📈 Optimization - Continuous improvement and rightsizing
🔒 Governance   - Policy-driven cost and resource control

Study this concept interactively in the AZ-104 app →

Azure Billing Alerts

Explanation

Azure Billing Alerts provide proactive notifications when spending approaches or exceeds defined thresholds. They help organizations maintain budget control, prevent cost overruns, and enable timely responses to unexpected spending patterns.

Examples

Monthly budget alerts at 80% threshold, department-specific spending notifications, service cost spike alerts, unusual usage pattern warnings, credit exhaustion alerts.

Enterprise Use Case

Finance teams and cloud administrators use billing alerts for budget governance, cost control, department accountability, and preventing unexpected charges in cloud environments.

Diagram

Azure Billing Alerts System:
┌─────────────────────────────────────────────────────────┐
│                   BILLING ALERTS                        │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
⚡ ALERT TRIGGERS                           📧 NOTIFICATION SYSTEM
┌─────────────────────┐                    ┌─────────────────────┐
│ Threshold Types:    │                    │ Alert Channels:     │
│ • Budget percentage │───►                │ • Email notifications│
│ • Fixed amount      │    │               │ • SMS messages      │
│ • Monthly limits    │    │               │ • Webhook integration│
│ • Credit balance    │    │               │ • Azure Mobile app  │
│                     │    │               │                     │
│ Alert Conditions:   │    ▼               │ Recipient Groups:   │
│ • Actual spending   │ [MONITORING]       │ • Finance team      │
│ • Forecasted costs  │ [ENGINE]           │ • Department heads  │
│ • Usage anomalies   │    │               │ • Cloud admins      │
│                     │    │               │ • Management        │
│ Scope Filters:      │    ▼               │                     │
│ • Subscription      │ [ALERT]            │ Response Actions:   │
│ • Resource group    │ [GENERATION]       │ • Automated responses│
│ • Service category  │                    │ • Approval workflows│
│ • Department tags   │                    │ • Resource shutdown │
└─────────────────────┘                    └─────────────────────┘

Alert Configuration:
────────────────────
🎯 Threshold    - Customizable spending limits
⏰ Frequency    - Real-time to daily notifications
📊 Granularity  - Service, resource, or tag-based
🔄 Escalation   - Multi-level alert sequences

Study this concept interactively in the AZ-104 app →

Azure Cost Management Dashboards

Explanation

Azure Cost Management Dashboards provide visual insights into cloud spending patterns, cost trends, usage analytics, and optimization opportunities through customizable charts, graphs, and reports for different stakeholder needs.

Examples

Executive spending summaries, department cost breakdowns, service usage trends, budget vs actual comparisons, cost optimization recommendations, resource utilization analytics.

Enterprise Use Case

Finance leaders, department managers, and operations teams use these dashboards for budget oversight, cost accountability, trend analysis, and strategic decision-making about cloud investments.

Diagram

Cost Management Dashboard Views:
┌─────────────────────────────────────────────────────────┐
│               COST MANAGEMENT DASHBOARDS                │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
📊 EXECUTIVE VIEW                           🔍 OPERATIONAL VIEW
┌─────────────────────┐                    ┌─────────────────────┐
│ High-Level Metrics: │                    │ Detailed Analytics: │
│ • Total spending    │───►                │ • Service breakdown │
│ • Budget variance   │    │               │ • Resource costs    │
│ • Cost trends       │    │               │ • Usage patterns    │
│ • Department costs  │    │               │ • Optimization tips │
│                     │    │               │                     │
│ Strategic Insights: │    ▼               │ Technical Metrics:  │
│ • Forecast accuracy │ [VISUALIZATION]    │ • Reserved instances│
│ • ROI analysis      │ [ENGINE]           │ • Spot pricing      │
│ • Investment impact │    │               │ • Right-sizing      │
│                     │    │               │ • Idle resources    │
│ Business KPIs:      │    ▼               │                     │
│ • Cost per user     │ [INTERACTIVE]      │ Action Items:       │
│ • Service efficiency│ [REPORTS]          │ • Cleanup tasks     │
│ • Growth metrics    │                    │ • Policy violations │
└─────────────────────┘                    │ • Recommendations  │
                                          └─────────────────────┘

Dashboard Features:
───────────────────
🎛️ Customizable - Drag-and-drop widget configuration
📱 Responsive   - Mobile-friendly responsive design
🔄 Real-time    - Live data updates and refresh
📤 Shareable    - Export and sharing capabilities

Study this concept interactively in the AZ-104 app →

Azure Resource Cleanup

Explanation

Azure Resource Cleanup involves systematic identification, evaluation, and removal of unused, underutilized, or obsolete cloud resources to optimize costs, improve security, and maintain operational efficiency through automated and manual processes.

Examples

Orphaned disk cleanup, unused VM identification, temporary resource removal, test environment cleanup, old snapshot deletion, abandoned storage accounts.

Enterprise Use Case

Operations teams use resource cleanup for cost optimization, security hygiene, compliance maintenance, and keeping cloud environments organized and efficient.

Diagram

Resource Cleanup Workflow:
┌─────────────────────────────────────────────────────────┐
│                  RESOURCE CLEANUP                       │
└─┬───────────────────────────────────────────────────┬───┘
  │                                                   │
  ▼                                                   ▼
🔍 IDENTIFICATION PHASE                     🗑️ CLEANUP EXECUTION
┌─────────────────────┐                    ┌─────────────────────┐
│ Discovery Methods:  │                    │ Cleanup Actions:    │
│ • Cost analysis     │───►                │ • Resource deletion │
│ • Usage monitoring  │    │               │ • Deallocation      │
│ • Tag analysis      │    │               │ • Archive operations│
│ • Age-based rules   │    │               │ • License reclaim   │
│                     │    │               │                     │
│ Target Resources:   │    ▼               │ Safety Measures:    │
│ • Unused VMs        │ [EVALUATION]       │ • Backup validation │
│ • Orphaned disks    │ [PROCESS]          │ • Impact assessment │
│ • Old snapshots     │    │               │ • Rollback plans    │
│ • Test environments │    │               │ • Approval workflows│
│                     │    ▼               │                     │
│ Assessment Criteria:│ [AUTOMATED]        │ Documentation:      │
│ • Last accessed     │ [RULES]            │ • Cleanup logs      │
│ • Business value    │                    │ • Cost savings      │
│ • Dependencies      │                    │ • Audit trails     │
└─────────────────────┘                    └─────────────────────┘

Cleanup Strategies:
───────────────────
⏰ Scheduled   - Automated cleanup on regular schedules
🎯 Targeted    - Specific resource type or age-based cleanup
🔒 Safe        - Non-destructive operations with rollback
📊 Measured    - Cost impact and savings tracking

Study this concept interactively in the AZ-104 app →

Create Users and Groups in Microsoft Entra ID

Explanation

Microsoft Entra ID (formerly Azure AD) is the cloud-based identity service. Users are individual identities for people, while groups are collections of users that can be assigned permissions together. You can create them via Portal, CLI, or PowerShell.

Examples

Creating user accounts for new employees, setting up security groups for departments, creating mail-enabled groups for collaboration, using dynamic groups based on user attributes.

Enterprise Use Case

Organizations use this to onboard new employees, organize users by department or project, manage permissions efficiently through groups, and maintain consistent identity management.

Diagram

Microsoft Entra ID Identity Management:

    ┌─────────────────────────────────────────────────────────┐
    │                Microsoft Entra ID Tenant                │
    │                    (company.onmicrosoft.com)            │
    └─────────────────┬───────────────────────┬───────────────┘
                      │                       │
                      ▼                       ▼
            ┌─────────────────┐    ┌─────────────────────────┐
            │     👤 USERS     │    │       👥 GROUPS        │
            └─────────────────┘    └─────────────────────────┘
                      │                       │
            ┌─────────┼─────────┐            │
            │         │         │            │
            ▼         ▼         ▼            ▼
    ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────────────┐
    │john@    │ │jane@    │ │admin@   │ │   Security Group │
    │company  │ │company  │ │company  │ │   ┌─────────────┐│
    │.com     │ │.com     │ │.com     │ │   │ Marketing   ││
    └─────────┘ └─────────┘ └─────────┘ │   │ - john      ││
                                        │   │ - jane      ││
    Creation Methods:                   │   └─────────────┘│
    ────────────────────                │                  │
    🖥️  Portal    (GUI clicks)         │   ┌─────────────┐│
    💻  CLI       (az ad user create)   │   │ IT Admins   ││
    ⚡  PowerShell (New-AzureADUser)    │   │ - admin     ││
                                        │   │ - sysadmin  ││
    Identity Flow:                      │   └─────────────┘│
    ──────────────                      └──────────────────┘
    User Creation → Group Assignment → Permission Inheritance

Study this concept interactively in the AZ-104 app →

Manage User and Group Properties

Explanation

User properties include personal info, contact details, job information, and group memberships. Group properties include type (Security/Microsoft 365), membership type (Assigned/Dynamic), and group settings.

Examples

Updating user job titles, adding profile photos, setting manager relationships, configuring group dynamic membership rules, enabling group email features.

Enterprise Use Case

Used for maintaining accurate organizational directory, enabling proper permissions inheritance, supporting collaboration features, and ensuring compliance with company policies.

Diagram

User Properties:
[User Object]
 |-- Display Name: "John Smith"
 |-- Job Title: "Developer"
 |-- Department: "Engineering"
 |-- Manager: "jane@company.com"
 |-- Groups: [Developers, All Employees]

Study this concept interactively in the AZ-104 app →

Manage Licenses in Microsoft Entra ID

Explanation

Licenses assign service capabilities to users. You can assign licenses individually or through group-based licensing. Different license types provide access to different Microsoft services like Office 365, Azure services, and enterprise features.

Examples

Assigning Office 365 licenses to employees, using group-based licensing for departments, managing Azure AD Premium features, tracking license usage and costs.

Enterprise Use Case

Organizations use this to control access to paid services, manage software costs, ensure compliance with licensing agreements, and automate license assignment through groups.

Diagram

License Assignment:
[License Pool] --> [Assignment Method] --> [User Access]
     |                    |                    |
[Office 365]        [Direct Assignment]   [Teams, Excel]
[Azure AD Premium]  [Group-based]        [MFA, Reporting]
[Enterprise Apps]   [Automated]          [Custom Apps]

Study this concept interactively in the AZ-104 app →

Manage External Users (B2B/B2C)

Explanation

B2B collaboration allows external partners to access your resources using their own identities. B2C enables customer-facing applications to authenticate consumers. External users maintain their own credentials while accessing your resources.

Examples

Inviting contractors to project teams, enabling partner access to shared resources, building customer portals, integrating with supplier systems.

Enterprise Use Case

Used for secure collaboration with partners, enabling customer self-service applications, extending business processes to external parties, and maintaining security boundaries.

Diagram

External User Types:
[Your Tenant] <-- B2B --> [Partner Organizations]
      |                         |
  [Internal Users]        [Partner Users]
      |                         |
  [Employees]            [Contractors, Vendors]
      
[Your App] <-- B2C --> [Consumers]
     |                      |
[Services]            [Personal Accounts]

Study this concept interactively in the AZ-104 app →

Configure Self-Service Password Reset (SSPR)

Explanation

SSPR allows users to reset their passwords without IT help desk involvement. Users verify their identity through multiple authentication methods before resetting passwords. Reduces IT workload and improves user productivity.

Examples

Setting up phone verification for password reset, configuring security questions, enabling email verification, requiring multiple verification methods for enhanced security.

Enterprise Use Case

Organizations use SSPR to reduce help desk tickets, improve user experience, maintain security while enabling self-service, and ensure business continuity.

Diagram

SSPR Process:
[User Forgot Password] --> [SSPR Portal] --> [Verification] --> [New Password]
          |                      |              |                  |
    [Login Failure]         [Identity Check]  [Phone/Email]    [Access Restored]
                                 |              [Security Q&A]
                           [Multiple Methods]   [Authenticator]

Study this concept interactively in the AZ-104 app →

Manage Microsoft Entra Administrative Units

Explanation

Administrative units allow you to delegate admin permissions to specific organizational units or geographic regions. They provide a way to scope administrative access to subsets of users, groups, or devices.

Examples

Creating admin units for different offices, delegating user management to regional IT teams, isolating administrative access by department, managing student accounts by school.

Enterprise Use Case

Large organizations use admin units to delegate administration while maintaining security boundaries, comply with data residency requirements, and implement role-based governance.

Diagram

Administrative Units:
[Global Admin]
    |
[Administrative Units]
    |-- [North America Unit]
    |    |-- Users: US/Canada employees
    |    |-- Admins: Regional IT team
    |
    |-- [Europe Unit]
         |-- Users: EU employees  
         |-- Admins: European IT team

Study this concept interactively in the AZ-104 app →

Manage Microsoft Entra Devices

Explanation

Device management involves registering and joining devices to Microsoft Entra ID. Azure AD Join provides cloud-based device identity, while device registration enables device-based conditional access policies.

Examples

Joining Windows devices to Azure AD, registering mobile devices for access, implementing device compliance policies, enabling single sign-on on corporate devices.

Enterprise Use Case

Organizations use device management for security compliance, enabling seamless user experience across devices, implementing conditional access, and maintaining device inventory.

Diagram

Device Management:
[Device Types]
    |-- [Azure AD Joined] (Corporate owned)
    |-- [Azure AD Registered] (BYOD)
    |-- [Hybrid Joined] (On-prem + Cloud)
         |
    [Device Policies]
         |-- Compliance Rules
         |-- Conditional Access
         |-- Device Configuration

Study this concept interactively in the AZ-104 app →

Manage Authentication Methods

Explanation

Authentication methods include passwords, MFA factors (phone, authenticator apps, FIDO2 keys), and passwordless options. Modern authentication emphasizes security and user experience through multiple verification factors.

Examples

Configuring Microsoft Authenticator, setting up SMS verification, implementing FIDO2 security keys, enabling Windows Hello for Business, configuring phone sign-in.

Enterprise Use Case

Organizations use various authentication methods to balance security and usability, comply with security standards, reduce password-related attacks, and improve user experience.

Diagram

Authentication Methods:
[User Identity]
    |
[Verification Methods]
    |-- Something you know (Password)
    |-- Something you have (Phone, Token)
    |-- Something you are (Biometrics)
    |
[MFA Combinations]
    |-- Password + Phone
    |-- Passwordless (Biometrics + Device)

Study this concept interactively in the AZ-104 app →

Manage Built-in Azure Roles

Explanation

Azure provides over 100 built-in roles like Owner, Contributor, Reader, and service-specific roles. These roles define what actions users can perform on Azure resources. Built-in roles cannot be modified but provide comprehensive coverage for most scenarios.

Examples

Assigning "Virtual Machine Contributor" for VM management, "Storage Account Contributor" for storage operations, "Reader" for view-only access, "User Access Administrator" for managing access.

Enterprise Use Case

Organizations use built-in roles to quickly assign appropriate permissions without creating custom roles, ensuring consistency and following Microsoft security best practices.

Diagram

Built-in Role Examples:
[Role Hierarchy]
    |-- Owner (Full access + assign access to others)
    |-- Contributor (Full access, cannot assign access)
    |-- Reader (View only, no modifications)
    |-- Service-specific roles
         |-- VM Contributor (VM management only)
         |-- Storage Contributor (Storage management only)

Study this concept interactively in the AZ-104 app →

Assign Roles at Different Scopes

Explanation

Azure RBAC uses hierarchical scopes: Management Group, Subscription, Resource Group, and Resource. Permissions assigned at higher scopes are inherited by lower scopes. This enables efficient permission management at scale.

Examples

Assigning billing roles at subscription level, giving developers access to specific resource groups, granting read access to entire management groups, limiting access to individual resources.

Enterprise Use Case

Organizations use scope-based assignments to implement least privilege access, manage permissions efficiently across large environments, and maintain security boundaries.

Diagram

Azure RBAC Scope Hierarchy & Inheritance:

    ┌─────────────────────────────────────────────────────────────┐
    │                🏢 MANAGEMENT GROUP                          │
    │               "Corporate" (Broadest Scope)                  │
    │  👤 CFO → Owner Role                                       │
    └─┬─────────────────────────────────────────────────────────┬─┘
      │ ⬇️ Permissions inherited by all child scopes            │
      │                                                         │
    ┌─▼─────────────────────┐              ┌─────────────────────▼─┐
    │    💳 SUBSCRIPTION     │              │    💳 SUBSCRIPTION     │
    │    "Production"        │              │    "Development"       │
    │ 👤 IT Manager → Owner  │              │ 👤 Dev Lead → Owner    │
    └─┬───────────────────┬─┘              └─┬─────────────────────┬─┘
      │ ⬇️ Inherited +     │                  │ ⬇️ Inherited +     │
      │    Subscription    │                  │    Subscription    │
      │    permissions     │                  │    permissions     │
      │                   │                  │                   │
    ┌─▼─────────────┐   ┌─▼─────────────┐  ┌─▼─────────────┐   ┌─▼─────────────┐
    │📁 RESOURCE     │   │📁 RESOURCE     │  │📁 RESOURCE     │   │📁 RESOURCE     │
    │   GROUP        │   │   GROUP        │  │   GROUP        │   │   GROUP        │
    │"Web-Prod"      │   │"DB-Prod"       │  │"Web-Dev"       │   │"Test-RG"       │
    │👤 WebDev →     │   │👤 DBA →        │  │👤 DevTeam →    │   │👤 Tester →     │
    │  Contributor   │   │  DB Contrib    │  │  Contributor   │   │  Reader        │
    └─┬─────────────┬┘   └─┬─────────────┬┘  └─┬─────────────┬┘   └─┬─────────────┬┘
      │ ⬇️ Inherited │      │ ⬇️ Inherited │    │ ⬇️ Inherited │      │ ⬇️ Inherited │
      │ + RG perms  │      │ + RG perms  │    │ + RG perms  │      │ + RG perms  │
      │             │      │             │    │             │      │             │
    ┌─▼──────┐    ┌─▼──────┐ ┌─▼──────┐ ┌─▼──────┐ ┌─▼──────┐    ┌─▼──────┐
    │🖥️ VM    │    │🌐 LB   │ │💾 SQL  │ │📊 DB   │ │🖥️ VM   │    │🧪 Test │
    │WebSvr01 │    │WebLB   │ │Server  │ │Backup  │ │DevSvr01│    │VM      │
    │         │    │        │ │        │ │        │ │        │    │        │
    └─────────┘    └────────┘ └────────┘ └────────┘ └────────┘    └────────┘

    Permission Inheritance Rules:
    ────────────────────────────
    ✅ Permissions flow DOWN the hierarchy automatically
    ✅ Child scopes inherit ALL parent permissions  
    ✅ Additional permissions can be granted at lower levels
    ❌ Child permissions CANNOT override parent denials
    ❌ You cannot "remove" inherited permissions
    
    Best Practices:
    ──────────────
    🎯 Assign broad permissions at higher scopes
    🔒 Use specific permissions for sensitive resources
    📊 Regular access reviews at all scope levels

Study this concept interactively in the AZ-104 app →

Create and Assign Custom RBAC Roles

Explanation

Custom roles are created when built-in roles don't meet specific requirements. You define custom permissions using actions, notActions, dataActions, and notDataActions. Custom roles can be scoped to subscriptions or resource groups.

Examples

Creating a role that can start/stop VMs but not delete them, allowing read access to logs but not configuration changes, combining specific permissions from multiple built-in roles.

Enterprise Use Case

Used when built-in roles are too broad or narrow, implementing company-specific security policies, meeting compliance requirements with precise permission sets.

Diagram

Custom Role Structure:
{
  "Name": "Custom VM Operator",
  "Actions": [
    "Microsoft.Compute/virtualMachines/start/action",
    "Microsoft.Compute/virtualMachines/restart/action"
  ],
  "NotActions": [
    "Microsoft.Compute/virtualMachines/delete"
  ]
}

Study this concept interactively in the AZ-104 app →

Interpret Access Assignments

Explanation

Understanding effective permissions requires analyzing direct assignments, inherited permissions, and group memberships. Azure provides tools to view effective access and troubleshoot permission issues.

Examples

Using "Check Access" feature, reviewing effective permissions, troubleshooting access denied errors, auditing user permissions across resources.

Enterprise Use Case

Used for troubleshooting access issues, security audits, compliance reporting, and ensuring users have appropriate access levels.

Diagram

Access Analysis:
[User] --> [Effective Permissions]
  |              |
[Direct Roles]   [Final Access Level]
[Group Roles]    [Combined from all sources]
[Inherited]      [Troubleshooting tools]

Study this concept interactively in the AZ-104 app →

Configure Resource Locks

Explanation

Resource locks prevent accidental deletion or modification of critical resources. Two types exist: CanNotDelete (prevents deletion) and ReadOnly (prevents modifications). Locks are inherited by child resources.

Examples

Protecting production databases from deletion, preventing changes to network configurations, securing critical storage accounts, protecting entire resource groups.

Enterprise Use Case

Organizations use locks to prevent accidental changes to critical infrastructure, ensure business continuity, and implement change control processes.

Diagram

Resource Lock Types:
[Resource] --> [Lock Type] --> [Effect]
    |             |              |
[Production]  [CanNotDelete]  [Can modify, cannot delete]
[Critical]    [ReadOnly]      [Cannot modify or delete]

Study this concept interactively in the AZ-104 app →

Apply and Manage Tags on Resources

Explanation

Tags are name-value pairs that help organize and track resources. Used for cost management, automation, resource organization, and governance. Tags can be applied at resource group or individual resource level.

Examples

Tagging resources by department for cost allocation, environment tags (dev/test/prod), project tags for tracking, owner tags for responsibility.

Enterprise Use Case

Organizations use tags for cost tracking and chargeback, resource organization, automated operations, compliance reporting, and resource lifecycle management.

Diagram

Resource Tagging:
[Resource] --> [Tags] --> [Benefits]
    |            |           |
[VM]        [Environment: Prod]  [Cost Tracking]
[Storage]   [Department: IT]     [Organization]
[Network]   [Project: WebApp]    [Automation]

Study this concept interactively in the AZ-104 app →

Manage Resource Groups

Explanation

Resource groups are logical containers for Azure resources. They provide a way to organize related resources, apply policies, and manage permissions collectively. Resources in a group typically share the same lifecycle.

Examples

Grouping web app components together, organizing resources by environment, creating project-specific resource groups, grouping by geographical location.

Enterprise Use Case

Used to organize related resources, simplify management and billing, apply consistent policies, and implement role-based access control at scale.

Diagram

Resource Group Structure:
[Resource Group: "WebApp-Prod"]
    |-- Web App
    |-- SQL Database  
    |-- Storage Account
    |-- Application Insights
    |-- [Shared policies, permissions, and lifecycle]

Study this concept interactively in the AZ-104 app →

Manage Azure Subscriptions

Explanation

Subscriptions are billing and management boundaries in Azure. Different subscription types serve various purposes: Pay-as-you-go, Enterprise Agreement, CSP, and Free Trial. Each has different limits, quotas, and pricing.

Examples

Separating dev/test/prod environments, organizing by department or project, managing different billing accounts, implementing governance boundaries.

Enterprise Use Case

Organizations use multiple subscriptions for cost management, billing separation, governance boundaries, compliance requirements, and resource organization.

Diagram

Subscription Hierarchy:
[Management Group]
    |-- [Production Subscription]
    |-- [Development Subscription]  
    |-- [Test Subscription]
         |
    [Each has separate billing, quotas, and governance]

Study this concept interactively in the AZ-104 app →

Create Users via Azure Portal

Explanation

The Azure portal provides a graphical interface to create and manage Microsoft Entra ID users and groups. It offers wizards, forms, and visual dashboards for user management tasks.

Examples

Using "New user" wizard, bulk user creation from CSV, creating security groups with membership rules, assigning licenses through the portal interface.

Enterprise Use Case

IT administrators prefer the portal for occasional user management, training new staff, visual verification of configurations, and complex setup requiring multiple steps.

Diagram

Portal User Creation:
Azure Portal → Microsoft Entra ID → Users → New User
    |
[User Form] → [Basic Info] → [Properties] → [Groups] → [Roles]

Study this concept interactively in the AZ-104 app →

Create Users via Azure CLI

Explanation

Azure CLI provides command-line interface for creating and managing Microsoft Entra ID users and groups. It supports automation, scripting, and batch operations through simple commands.

Examples

Using "az ad user create" command, scripting bulk user creation, automating user provisioning in DevOps pipelines, managing users from Linux/Mac terminals.

Enterprise Use Case

Developers and DevOps teams use CLI for automation, scripting repetitive tasks, cross-platform management, and integrating user management into CI/CD pipelines.

Diagram

CLI User Commands:
az ad user create --display-name "John Doe" --user-principal-name john@company.com --password "SecurePass123"

az ad group create --display-name "Developers" --mail-nickname "devs"

az ad group member add --group "Developers" --member-id <user-id>

Study this concept interactively in the AZ-104 app →

Create Users via PowerShell

Explanation

PowerShell provides powerful scripting capabilities for Microsoft Entra ID user and group management. It offers object-oriented commands, advanced filtering, and integration with Windows environments.

Examples

Using New-AzureADUser cmdlet, bulk operations with CSV import, advanced filtering with PowerShell objects, integration with on-premises Active Directory.

Enterprise Use Case

Windows administrators prefer PowerShell for complex scripting, advanced automation, integration with existing PowerShell infrastructure, and sophisticated user management workflows.

Diagram

PowerShell User Commands:
New-AzureADUser -DisplayName "John Doe" -UserPrincipalName "john@company.com" -PasswordProfile $passwordProfile

New-AzureADGroup -DisplayName "Developers" -MailEnabled $false -SecurityEnabled $true

Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $userId

Study this concept interactively in the AZ-104 app →

Azure AD B2B Collaboration

Explanation

B2B (Business-to-Business) collaboration allows external partners to access your resources using their own identities. Partners maintain their credentials while gaining access to your apps and resources through invitation-based access.

Examples

Inviting contractors to project teams, sharing documents with partners, allowing vendors to access specific applications, enabling consultant access to development environments.

Enterprise Use Case

Organizations use B2B for secure partner collaboration, vendor management, consultant access, and cross-organization project teams without managing external user credentials.

Diagram

Azure AD B2B Collaboration Architecture:

    ┌─────────────────────────────────────────────────────────────────┐
    │                    YOUR ORGANIZATION                            │
    │                 (Entra ID Tenant A)                            │
    └─┬─────────────────────────────────────────────────────────────┬─┘
      │                                                             │
      │  📧 Invitation Email                                        │
      ├─────────────────────────────────►                          │
      │                                                             │
    ┌─▼─────────────────────────────────┐    ┌─────────────────────▼─┐
    │        📋 YOUR RESOURCES          │    │    🏢 PARTNER ORG     │
    │                                   │    │   (Entra ID Tenant B) │
    │  📁 SharePoint Sites              │    │                       │
    │  👥 Microsoft Teams               │◄───┤  👤 partner@vendor    │
    │  💼 Business Applications         │    │      .com             │
    │  📊 Power BI Reports             │    │                       │
    │  🗄️  Internal Databases          │    │  🔐 Keeps own:        │
    └───────────────────────────────────┘    │  - Password           │
                                             │  - MFA Settings       │
    B2B Authentication Flow:                 │  - Identity Provider  │
    ────────────────────────                 └───────────────────────┘
    
    1. 📤 Send invitation → partner@vendor.com
    2. 📧 Partner receives email with redemption link  
    3. 🔑 Partner signs in with THEIR credentials
    4. ✅ Azure AD creates guest account in YOUR tenant
    5. 🚪 Partner accesses YOUR resources as guest user
    6. 🔒 Partner maintains their own identity/password
    
    Security Benefits:
    ─────────────────
    ✓ No password management for external users
    ✓ Partner controls their own identity lifecycle  
    ✓ You control resource access permissions
    ✓ Audit trail of all guest user activities

Study this concept interactively in the AZ-104 app →

Azure AD B2C (Business to Consumer)

Explanation

B2C enables customer-facing applications to authenticate consumers using their preferred social, enterprise, or local account identities. It provides customizable login experiences and supports millions of consumer identities.

Examples

Customer portals with Facebook login, e-commerce sites with Google authentication, mobile apps with social sign-in, loyalty programs with custom branding.

Enterprise Use Case

Used for customer-facing applications, e-commerce platforms, mobile applications, customer service portals, and any application requiring consumer identity management.

Diagram

B2C Consumer Flow:
[Consumer App] → [Azure AD B2C] → [Identity Providers]
       |              |                    |
[Your Website]   [Custom UI]      [Facebook, Google, Local]
       |              |                    |
[User Experience] ← [Token] ← [Consumer Chooses]

Study this concept interactively in the AZ-104 app →

Manage Administrative Units via Portal

Explanation

The Azure portal provides a visual interface for creating and managing administrative units. You can use the portal to organize users and groups into administrative boundaries and delegate permissions.

Examples

Creating regional admin units through portal interface, using drag-and-drop to assign users to units, visual permission management, monitoring admin unit membership.

Enterprise Use Case

IT administrators use the portal for initial setup, visual organization of administrative boundaries, and when they need to see the hierarchical structure of admin units.

Diagram

Portal Admin Units:
Azure Portal → Microsoft Entra ID → Administrative Units
    |
[Create Unit] → [Add Members] → [Assign Roles] → [Monitor]

Study this concept interactively in the AZ-104 app →

Manage Administrative Units via CLI

Explanation

Azure CLI provides command-line management of administrative units through text-based commands. Enables scripting, automation, and programmatic management of administrative boundaries.

Examples

Creating admin units with az ad administrativeunit commands, scripting bulk assignments, automating unit creation in DevOps pipelines.

Enterprise Use Case

DevOps teams and administrators who prefer command-line tools use CLI for automating administrative unit management and integrating with scripts.

Diagram

CLI Admin Unit Commands:
az ad administrativeunit create --display-name "North America"
az ad administrativeunit member add --id <unit-id> --member-id <user-id>
az role assignment create --assignee <admin-id> --role "User Administrator" --scope <unit-scope>

Study this concept interactively in the AZ-104 app →

Manage Administrative Units via PowerShell

Explanation

PowerShell provides object-oriented management of administrative units with rich scripting capabilities. Offers advanced filtering, bulk operations, and integration with Windows environments.

Examples

Using New-AzureADMSAdministrativeUnit cmdlet, bulk membership management, complex permission assignments, integration with existing PowerShell workflows.

Enterprise Use Case

Windows administrators and PowerShell experts use it for complex administrative unit management, advanced automation, and integration with enterprise PowerShell infrastructure.

Diagram

PowerShell Admin Unit Cmdlets:
New-AzureADMSAdministrativeUnit -DisplayName "Europe Division"
Add-AzureADMSAdministrativeUnitMember -Id $unitId -RefObjectId $userId
New-AzureADMSRoleAssignment -RoleDefinitionId $roleId -PrincipalId $adminId -DirectoryScopeId $unitScope

Study this concept interactively in the AZ-104 app →

Configure Device Settings

Explanation

Device settings in Microsoft Entra ID control how devices interact with your organization. Settings include device registration policies, compliance requirements, and access controls for corporate resources.

Examples

Setting device compliance policies, configuring automatic device registration, managing device trust relationships, setting up conditional access based on device state.

Enterprise Use Case

Organizations use device settings to maintain security standards, ensure compliance, control access to resources, and manage corporate vs. personal device access.

Diagram

Device Settings:
[Device Settings]
    |-- Registration [Auto/Manual]
    |-- Compliance [Required/Optional] 
    |-- Trust Level [Corporate/Personal]
    |-- Access Control [Conditional Policies]

Study this concept interactively in the AZ-104 app →

Azure AD Join

Explanation

Azure AD Join connects devices directly to Azure AD without needing on-premises Active Directory. Joined devices get single sign-on access to cloud resources and can be managed through Intune.

Examples

Joining Windows 10/11 devices to Azure AD during setup, enabling SSO to Office 365, managing devices through Intune, implementing conditional access policies.

Enterprise Use Case

Modern organizations use Azure AD Join for cloud-first device management, remote workers, and simplified device lifecycle management without on-premises infrastructure.

Diagram

Azure AD Join Process:
[Windows Device] → [Azure AD Join] → [Cloud Identity]
        |               |                   |
[OOBE/Settings]   [Authentication]    [SSO Access]
        |               |                   |
[Corporate WiFi]  [Work Account]     [Office 365, Apps]

Study this concept interactively in the AZ-104 app →

Multi-Factor Authentication (MFA)

Explanation

MFA requires users to provide multiple forms of verification before accessing resources. It combines something you know (password), something you have (phone/token), or something you are (biometrics).

Examples

SMS codes to mobile phones, Microsoft Authenticator app notifications, phone call verification, FIDO2 security keys, biometric authentication.

Enterprise Use Case

Organizations implement MFA to enhance security, meet compliance requirements, protect against password attacks, and secure sensitive resource access.

Diagram

MFA Verification:
[User Login] → [Password] → [MFA Challenge] → [Access Granted]
     |            |              |                |
[Username]   [Something     [Phone/App        [Authenticated
              you know]     Authenticator]     Session]

Study this concept interactively in the AZ-104 app →

Authentication Methods

Explanation

Authentication methods are the various ways users can prove their identity. Methods include passwords, passwordless options, biometrics, tokens, and certificates, each with different security and usability characteristics.

Examples

Windows Hello for Business, FIDO2 security keys, certificate-based authentication, SMS and voice calls, authenticator apps, temporary access passes.

Enterprise Use Case

Organizations choose authentication methods based on security requirements, user experience goals, compliance needs, and device capabilities.

Diagram

Authentication Methods:
[Passwords] → Traditional knowledge-based
[Passwordless] → Phone sign-in, Windows Hello
[Certificates] → Smart cards, device certificates  
[Biometrics] → Fingerprint, face recognition
[Tokens] → Hardware keys, app-generated codes

Study this concept interactively in the AZ-104 app →

Self-Service Password Reset Authentication

Explanation

SSPR authentication methods are the verification options users can choose when resetting their passwords. These methods prove user identity before allowing password changes.

Examples

Mobile app notification, mobile app code, email verification, mobile phone SMS, office phone call, security questions.

Enterprise Use Case

Organizations configure multiple SSPR methods to balance security and accessibility, ensuring users can reset passwords even if one method is unavailable.

Diagram

SSPR Authentication Flow:
[Forgot Password] → [Choose Method] → [Verify Identity] → [Reset Password]
        |               |                 |                  |
[Login Page]      [Email/Phone/App]   [Code/Call]      [New Password]

Study this concept interactively in the AZ-104 app →

Assign Roles via Azure Portal

Explanation

The Azure portal provides a graphical interface for assigning RBAC roles to users, groups, or applications. It offers visual role selection, scope definition, and assignment management.

Examples

Using Access Control (IAM) blade, selecting roles from dropdown menus, visual scope selection, bulk role assignments, reviewing effective permissions.

Enterprise Use Case

IT administrators use the portal for role assignments when they need visual confirmation, are training new staff, or performing one-off assignments.

Diagram

Portal Role Assignment:
Resource → Access Control (IAM) → Add Role Assignment
    |           |                      |
[Scope]    [Role Definition]      [Security Principal]
    |           |                      |
[Subscription, RG] [Owner, Contributor] [User, Group, App]

Study this concept interactively in the AZ-104 app →

Assign Roles via Azure CLI

Explanation

Azure CLI enables command-line role assignment through "az role assignment" commands. It supports scripting, automation, and programmatic role management.

Examples

Using "az role assignment create" command, scripting bulk role assignments, automating permissions in deployment pipelines, cross-platform role management.

Enterprise Use Case

DevOps teams and script-oriented administrators use CLI for automated role assignments, infrastructure as code, and cross-platform environments.

Diagram

CLI Role Assignment:
az role assignment create \
  --assignee user@company.com \
  --role "Virtual Machine Contributor" \
  --scope "/subscriptions/.../resourceGroups/myRG"

Study this concept interactively in the AZ-104 app →

Assign Roles via PowerShell

Explanation

PowerShell provides object-oriented role assignment through cmdlets like New-AzRoleAssignment. It offers advanced scripting, filtering, and integration with Windows environments.

Examples

Using New-AzRoleAssignment cmdlet, bulk assignments with CSV import, complex filtering with PowerShell objects, integration with existing PowerShell workflows.

Enterprise Use Case

Windows administrators and PowerShell experts use it for complex role assignment scenarios, advanced automation, and integration with enterprise PowerShell infrastructure.

Diagram

PowerShell Role Assignment:
New-AzRoleAssignment -ObjectId $userId -RoleDefinitionName "Contributor" -Scope $resourceGroupScope

Get-AzRoleAssignment -SignInName user@company.com | Format-Table

Study this concept interactively in the AZ-104 app →

Built-in Azure Policies

Explanation

Built-in policies are pre-defined policy rules created by Microsoft that address common governance scenarios. They cover security, compliance, cost management, and operational requirements without requiring custom JSON policy definitions.

Examples

"Require SSL only" for storage accounts, "Allowed VM sizes" to control costs, "Require tags on resources" for organization, "Allowed locations" for compliance.

Enterprise Use Case

Organizations use built-in policies to quickly implement common governance rules, meet compliance requirements, and follow Microsoft security best practices.

Diagram

Built-in Policy Categories:
[Security] → SSL requirements, encryption
[Compliance] → Industry standards, regulations
[Cost Management] → VM sizes, resource limits  
[Operations] → Naming conventions, tagging

Study this concept interactively in the AZ-104 app →

Custom Azure Policies

Explanation

Custom policies are user-defined JSON policy rules that address specific organizational requirements not covered by built-in policies. They use policy language to define conditions, effects, and parameters.

Examples

Custom naming conventions, specific security requirements, unique compliance needs, organization-specific resource configurations.

Enterprise Use Case

Organizations create custom policies when built-in policies don't meet specific needs, for unique compliance requirements, or proprietary governance rules.

Diagram

Custom Policy Structure:
{
  "mode": "Indexed",
  "policyRule": {
    "if": { "condition" },
    "then": { "effect": "deny|audit|modify" }
  },
  "parameters": { "customizable values" }
}

Study this concept interactively in the AZ-104 app →

Azure Policy Initiatives

Explanation

Policy initiatives (also called policy sets) group multiple related policies together for simplified management and compliance tracking. They enable bulk assignment and provide unified compliance reporting.

Examples

"Security Center" initiative with multiple security policies, "ISO 27001" compliance bundle, "Cost optimization" initiative, "NIST" cybersecurity framework.

Enterprise Use Case

Organizations use initiatives to manage related policies as a group, simplify compliance reporting, and implement comprehensive governance frameworks.

Diagram

Policy Initiative Structure:
[Initiative: "Security Baseline"]
    |-- Policy: Require HTTPS
    |-- Policy: Enable encryption  
    |-- Policy: Disable public endpoints
    |-- Policy: Require strong passwords

Study this concept interactively in the AZ-104 app →

Configure Resource Locks via Portal

Explanation

The Azure portal provides a graphical interface for creating and managing resource locks. You can easily apply CanNotDelete or ReadOnly locks to protect critical resources.

Examples

Using the portal to lock production databases, applying locks to critical resource groups, visually managing lock inheritance, reviewing locked resources.

Enterprise Use Case

IT administrators use the portal for lock management when they need visual confirmation, are setting up initial protections, or training team members.

Diagram

Portal Lock Management:
Resource → Locks → Add Lock
    |        |        |
[Target]  [Type]   [Reason]
    |        |        |
[VM/RG]  [Delete/ReadOnly] [Description]

Study this concept interactively in the AZ-104 app →

Configure Resource Locks via CLI

Explanation

Azure CLI enables command-line resource lock management through "az lock" commands. It supports scripting, automation, and programmatic lock management.

Examples

Using "az lock create" command, scripting lock deployment, automating protection in deployment pipelines, bulk lock management.

Enterprise Use Case

DevOps teams and automation-focused administrators use CLI for scripted lock management, infrastructure as code, and automated protection.

Diagram

CLI Lock Commands:
az lock create --name "ProductionLock" --lock-type CanNotDelete --resource-group "ProductionRG"

az lock list --resource-group "ProductionRG"

Study this concept interactively in the AZ-104 app →

Configure Resource Locks via PowerShell

Explanation

PowerShell provides object-oriented resource lock management through cmdlets like New-AzResourceLock. It offers advanced scripting and integration with Windows environments.

Examples

Using New-AzResourceLock cmdlet, bulk lock operations with CSV import, complex filtering with PowerShell objects, integration with existing scripts.

Enterprise Use Case

Windows administrators and PowerShell experts use it for complex lock scenarios, advanced automation, and integration with enterprise PowerShell infrastructure.

Diagram

PowerShell Lock Cmdlets:
New-AzResourceLock -LockName "CriticalVMLock" -LockLevel CanNotDelete -ResourceGroupName "Production" -ResourceName "WebServer01" -ResourceType "Microsoft.Compute/virtualMachines"

Get-AzResourceLock | Where-Object {$_.Properties.level -eq "CanNotDelete"}

Study this concept interactively in the AZ-104 app →

Add Tags to Resources

Explanation

Adding tags involves assigning key-value pairs to Azure resources for organization, cost tracking, and automation. Tags can be applied during resource creation or added later.

Examples

Adding "Environment=Production" tag, "Department=IT" for cost allocation, "Project=WebApp" for tracking, "Owner=TeamLead" for responsibility.

Enterprise Use Case

Organizations add tags to new resources for immediate organization, during resource deployment, and when implementing new governance policies.

Diagram

Adding Tags:
[Resource Creation] → [Add Tags] → [Key-Value Pairs]
       |                 |              |
[Deploy VM]        [Environment]    [Production]
                   [Department]     [IT]
                   [Project]        [WebApp]

Study this concept interactively in the AZ-104 app →

Update Tags on Resources

Explanation

Updating tags involves modifying existing key-value pairs on Azure resources. This includes changing values, adding new keys, or modifying tag structures for better organization.

Examples

Changing "Environment=Dev" to "Environment=Prod", updating project names, modifying department assignments, adjusting cost center allocations.

Enterprise Use Case

Organizations update tags when resource purposes change, during environment promotions, or when reorganizing cost tracking structures.

Diagram

Updating Tags:
[Existing Resource] → [Modify Tags] → [Updated Labels]
        |                  |              |
[Web Server]        [Environment]    [Prod → QA]
                    [Department]     [IT → DevOps]

Study this concept interactively in the AZ-104 app →

Remove Tags from Resources

Explanation

Removing tags involves deleting key-value pairs from Azure resources when they are no longer needed or when simplifying tag structures for better management.

Examples

Removing obsolete project tags, cleaning up old department assignments, removing temporary tags after migrations, simplifying tag schemas.

Enterprise Use Case

Organizations remove tags during resource cleanup, when simplifying governance structures, or when tags become obsolete after organizational changes.

Diagram

Removing Tags:
[Tagged Resource] → [Remove Tags] → [Cleaner Resource]
       |                |              |
[Multiple Tags]    [Select Keys]   [Essential Tags Only]
                   [Delete]        [Simplified Structure]

Study this concept interactively in the AZ-104 app →

Azure Subscription Types

Explanation

Different subscription types serve various organizational needs: Free Trial (learning), Pay-As-You-Go (flexibility), Enterprise Agreement (volume discounts), CSP (partner managed), and Development/Test (reduced costs).

Examples

Free Trial for learning Azure, Pay-As-You-Go for small businesses, Enterprise Agreement for large corporations, Dev/Test for development teams.

Enterprise Use Case

Organizations choose subscription types based on size, commitment level, budget constraints, and relationship with Microsoft or partners.

Diagram

Subscription Types:
[Free Trial] → Learning, 12 months + $200 credit
[Pay-As-You-Go] → Flexible, pay for usage
[Enterprise Agreement] → Volume discounts, 3-year commitment  
[CSP] → Partner-managed, through resellers
[Dev/Test] → Reduced rates for development

Study this concept interactively in the AZ-104 app →

Azure Resource Limits and Quotas

Explanation

Azure enforces limits and quotas to prevent runaway costs and ensure fair resource allocation. Limits include VM cores, storage accounts per region, and API call rates.

Examples

20 VM cores per region default, 250 storage accounts per subscription, API throttling limits, network security group rule limits.

Enterprise Use Case

Organizations monitor quotas for capacity planning, request limit increases for growth, and implement governance to prevent quota exhaustion.

Diagram

Common Azure Limits:
[Compute] → VM cores, availability sets
[Storage] → Storage accounts, disk size
[Network] → VNets, public IPs, load balancers
[Identity] → Applications, service principals

Study this concept interactively in the AZ-104 app →

Azure Budgets

Explanation

Azure Budgets help monitor and control spending by setting spending limits and alerts. Budgets can be scoped to subscriptions, resource groups, or specific resources.

Examples

Monthly $1000 subscription budget, quarterly department budgets, project-specific spending limits, resource group cost controls.

Enterprise Use Case

Organizations use budgets for cost control, department chargebacks, project cost tracking, and preventing unexpected spending spikes.

Diagram

Budget Configuration:
[Budget Scope] → [Amount] → [Time Period] → [Alerts]
      |             |           |             |
[Subscription]   [$1000]    [Monthly]     [80%, 100%]
[Resource Group] [$500]     [Quarterly]   [Email/SMS]

Study this concept interactively in the AZ-104 app →

Cost Analysis Reports

Explanation

Cost analysis provides detailed spending reports and insights into Azure resource costs. It offers filtering, grouping, and visualization to understand spending patterns.

Examples

Monthly spending breakdowns, cost by resource group, service-level cost analysis, trending reports, cost allocation by tags.

Enterprise Use Case

Organizations use cost analysis for budget planning, identifying cost optimization opportunities, departmental chargebacks, and spending trend analysis.

Diagram

Cost Analysis Views:
[Time Period] → [Group By] → [Filter] → [Visualize]
      |            |           |          |
[Last 6 months] [Service]   [Tags]    [Charts]
[This month]    [Location]  [RG]      [Tables]

Study this concept interactively in the AZ-104 app →

Manage Management Groups via Portal

Explanation

The Azure portal provides a visual interface for creating and managing management groups. You can organize subscriptions hierarchically and apply policies at scale.

Examples

Creating organizational hierarchies through portal interface, visual subscription organization, drag-and-drop management, policy inheritance visualization.

Enterprise Use Case

IT administrators use the portal for initial management group setup, visualizing organizational structure, and when training teams on hierarchy concepts.

Diagram

Portal Management Groups:
Azure Portal → Management Groups → Create/Organize
    |
[Root Group] → [Department Groups] → [Project Groups] → [Subscriptions]

Study this concept interactively in the AZ-104 app →

Manage Management Groups via CLI

Explanation

Azure CLI enables command-line management group operations through "az account management-group" commands. It supports scripting and automation of hierarchical structures.

Examples

Creating management groups with CLI commands, scripting organizational hierarchy deployment, automating group assignments in DevOps pipelines.

Enterprise Use Case

DevOps teams and infrastructure-as-code practitioners use CLI for automated management group deployment and scripted organizational changes.

Diagram

CLI Management Group Commands:
az account management-group create --name "IT-Department" --display-name "IT Department"
az account management-group subscription add --name "IT-Department" --subscription "sub-123"

Study this concept interactively in the AZ-104 app →

Manage Management Groups via PowerShell

Explanation

PowerShell provides object-oriented management group administration through Azure PowerShell cmdlets. It offers advanced scripting and Windows environment integration.

Examples

Using New-AzManagementGroup cmdlet, bulk operations with CSV import, complex hierarchy management with PowerShell objects.

Enterprise Use Case

Windows administrators and PowerShell experts use it for complex management group scenarios, advanced automation, and enterprise PowerShell integration.

Diagram

PowerShell Management Group Cmdlets:
New-AzManagementGroup -GroupName "Corporate" -DisplayName "Corporate Division"
Add-AzManagementGroupSubscription -GroupName "Corporate" -SubscriptionId $subId

Study this concept interactively in the AZ-104 app →

Azure Blueprints

Explanation

Azure Blueprints enable deployment of repeatable environment templates that include resource groups, policies, role assignments, and ARM templates. They ensure consistent deployments and compliance.

Examples

ISO 27001 compliance blueprints, PCI DSS templates, development environment blueprints, security baseline deployments.

Enterprise Use Case

Organizations use blueprints for consistent environment deployment, compliance automation, standardized security configurations, and repeatable infrastructure patterns.

Diagram

Blueprint Components:
[Blueprint Definition]
    |-- Resource Groups
    |-- Policy Assignments  
    |-- Role Assignments
    |-- ARM Templates
         ↓
[Blueprint Assignment] → [Compliant Environment]

Study this concept interactively in the AZ-104 app →

Azure Portal Management

Explanation

The Azure portal is the primary web-based interface for managing Azure resources. It provides dashboards, wizards, and visual tools for comprehensive resource management.

Examples

Creating resources through wizards, customizing dashboards, using Cloud Shell integration, monitoring resource health, managing access controls.

Enterprise Use Case

IT administrators, developers, and business users use the portal for visual resource management, monitoring, troubleshooting, and when learning Azure services.

Diagram

Portal Features:
[Dashboard] → Customizable resource views
[Resource Groups] → Logical organization
[Activity Log] → Audit trail
[Cloud Shell] → Integrated command line
[Alerts] → Proactive monitoring

Study this concept interactively in the AZ-104 app →

Azure Cloud Shell

Explanation

Azure Cloud Shell is a browser-based shell environment that provides command-line access to Azure resources. It includes both Bash and PowerShell environments with pre-installed tools.

Examples

Running Azure CLI commands from browser, PowerShell scripting without local installation, accessing resources from any device, persistent file storage.

Enterprise Use Case

Users prefer Cloud Shell for cross-platform access, when local tools aren't available, for quick administrative tasks, and in restricted environments.

Diagram

Cloud Shell Features:
[Browser Access] → No local installation needed
[Dual Environments] → Bash + PowerShell
[Persistent Storage] → Files saved between sessions
[Pre-installed Tools] → CLI, PowerShell, editors
[Authentication] → Automatic Azure login

Study this concept interactively in the AZ-104 app →

Azure CLI in Cloud Shell

Explanation

Azure CLI runs natively in Cloud Shell Bash environment, providing full command-line capabilities without local installation. It's automatically authenticated and includes the latest CLI version.

Examples

Managing resources with az commands, running scripts stored in Cloud Shell storage, automating tasks through browser interface.

Enterprise Use Case

Ideal for users who need CLI access without local setup, cross-platform scenarios, and quick administrative tasks from any location.

Diagram

CLI in Cloud Shell:
[Web Browser] → [Cloud Shell] → [Azure CLI Commands]
      |              |                |
[Any Device]    [Bash Shell]     [az resource commands]

Study this concept interactively in the AZ-104 app →

PowerShell in Cloud Shell

Explanation

PowerShell runs in Cloud Shell providing object-oriented Azure management through browser interface. Includes Azure PowerShell modules and cross-platform PowerShell Core.

Examples

Running Azure PowerShell cmdlets, object manipulation and filtering, script execution from browser, integration with Azure services.

Enterprise Use Case

PowerShell users prefer this for browser-based administration, when local PowerShell isn't available, and for consistent PowerShell experience across platforms.

Diagram

PowerShell in Cloud Shell:
[Web Browser] → [Cloud Shell] → [PowerShell Cmdlets]
      |              |                |
[Any Device]   [PowerShell Core] [Get-AzResource, etc.]

Study this concept interactively in the AZ-104 app →

ARM Template JSON Structure

Explanation

ARM templates follow a specific JSON schema with sections for parameters, variables, resources, and outputs. Understanding the structure is key to creating effective templates.

Examples

Schema declaration, parameter definitions with types and defaults, variable calculations, resource dependencies, output values.

Enterprise Use Case

Template authors need to understand JSON structure for creating maintainable, reusable templates and following Azure best practices.

Diagram

ARM Template Sections:
[Schema] → Version and validation
[Parameters] → Input values  
[Variables] → Calculated expressions
[Resources] → Azure resources to create
[Outputs] → Values to return

Study this concept interactively in the AZ-104 app →

Azure Storage Explorer

Explanation

Azure Storage Explorer is a standalone desktop application that provides a graphical interface for managing Azure Storage data. It allows browsing, uploading, downloading, and managing blobs, files, queues, and tables across multiple subscriptions.

Examples

Browsing storage account contents, uploading files via drag-and-drop, creating containers and shares, managing access policies and SAS tokens.

Enterprise Use Case

Used by developers and administrators for storage management tasks, troubleshooting storage issues, bulk data operations, and storage account exploration.

Diagram

─────────────────────────────────────────────────────────────────┐
│                    🗂️ AZURE STORAGE EXPLORER                    │
└─────────────────────────────────────────────────────────────────┘

    📱 Desktop Application
    ══════════════════════
    
    ┌─────────────────┬─────────────────────────────────────────────┐
    │   📂 Accounts   │              📊 Main View                   │
    │                 │                                             │
    │ 📦 Subscription │  ┌─────────┬─────────┬─────────┬─────────┐ │
    │ └── Storage1    │  │ 📁 Blob │ 📄 File │ 📋 Queue│ 📋 Table│ │
    │     ├── Blob    │  │ Service │ Service │ Service │ Service │ │
    │     ├── Files   │  └─────────┴─────────┴─────────┴─────────┘ │
    │     ├── Queue   │                                             │
    │     └── Tables  │  Container: "images"                        │
    │                 │  ┌─────────────────────────────────────────┐│
    │ 📦 Local Dev    │  │ 📷 photo1.jpg    │ 2.5MB │ 2024-01-15 ││
    │ ├── Emulator    │  │ 🖼️ banner.png    │ 800KB │ 2024-01-14 ││
    │ └── Attached    │  │ 📊 report.pdf    │ 1.2MB │ 2024-01-13 ││
    │     Storage     │  └─────────────────────────────────────────┘│
    └─────────────────┴─────────────────────────────────────────────┘
    
    ⚡ Key Features:
    ───────────────
    
    🔧 Management Operations        📊 Data Operations
    ┌─────────────────────┐        ┌─────────────────────┐
    │ • Create containers │        │ • Upload files      │
    │ • Set access policies│       │ • Download blobs    │
    │ • Generate SAS      │        │ • Copy between      │
    │ • Manage snapshots  │        │   accounts          │
    │ • Configure tiers   │        │ • Bulk operations   │
    └─────────────────────┘        └─────────────────────┘
    
    🌐 Multi-Platform Support      🔍 Advanced Features  
    ┌─────────────────────┐        ┌─────────────────────┐
    │ • Windows          │         │ • Search & Filter   │
    │ • macOS            │         │ • Property editing  │ 
    │ • Linux            │         │ • Version history   │
    │ • Cross-platform   │         │ • Activity log      │
    │   consistency      │         │ • Error handling    │
    └─────────────────────┘        └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Import/Export Service

Explanation

Azure Import/Export service enables secure transfer of large amounts of data to and from Azure by shipping physical disk drives to Azure datacenters. This bypasses network limitations for massive data migrations.

Examples

Migrating terabytes of data to Azure, initial cloud migration, disaster recovery data transfer, moving archives to cool storage.

Enterprise Use Case

Used for large-scale data migrations when network transfer would be too slow or expensive, moving on-premises archives to cloud storage, disaster recovery scenarios.

Diagram

─────────────────────────────────────────────────────────────────┐
│              📦 AZURE IMPORT/EXPORT WORKFLOW                   │
└─────────────────────────────────────────────────────────────────┘

    🚚 IMPORT Process (To Azure)
    ════════════════════════════
    
    On-Premises                    Azure Datacenter
    ─────────────                  ─────────────────
    
    1️⃣ Prepare Drives            4️⃣ Receive & Process
    ┌─────────────────┐          ┌─────────────────────┐
    │ 💾 HDD/SSD      │   ✈️     │ 🏭 Azure Datacenter │
    │ ├── Data files  │  ──────→ │ ├── Drive validation│
    │ ├── Journal     │          │ ├── Data extraction │
    │ └── Manifest    │          │ └── Upload to blob  │
    └─────────────────┘          └─────────────────────┘
           ↑                              ↓
    2️⃣ Use WAImportExport       5️⃣ Confirmation
    ┌─────────────────┐          ┌─────────────────────┐
    │ • Encrypt drive │          │ 📊 Job completed    │
    │ • Generate logs │          │ 📧 Email notification│
    │ • Create job    │          │ 🔐 Drives wiped     │
    │ • Ship drives   │          │ 📦 Return shipping  │
    └─────────────────┘          └─────────────────────┘
           ↑                              
    3️⃣ Create Import Job
    ┌─────────────────┐
    │ 🌐 Azure Portal │
    │ • Job details   │
    │ • Storage target│
    │ • Shipping info │
    └─────────────────┘

    📤 EXPORT Process (From Azure)
    ═══════════════════════════════

    Azure Storage                   Customer Location
    ─────────────                   ──────────────────
    
    1️⃣ Create Export Job          4️⃣ Receive Drives
    ┌─────────────────┐          ┌─────────────────────┐
    │ 🌐 Azure Portal │   📦     │ 💾 Encrypted drives │
    │ • Select blobs  │  ──────→ │ ├── Customer data   │
    │ • Drive details │          │ ├── BitLocker keys  │
    │ • Shipping info │          │ └── Unlock & access │
    └─────────────────┘          └─────────────────────┘
           ↓                              ↑
    2️⃣ Azure Processing          3️⃣ Ship to Customer  
    ┌─────────────────┐          ┌─────────────────────┐
    │ 🏭 Datacenter   │          │ 🚚 Secure shipping  │
    │ • Copy data     │          │ • Tracking number   │
    │ • Encrypt drive │          │ • Insurance         │
    │ • Generate keys │          │ • Chain of custody  │
    └─────────────────┘          └─────────────────────┘

    ⚡ Service Benefits:
    ───────────────────

    💨 Speed              💰 Cost-Effective        🔒 Security
    ┌─────────────┐      ┌─────────────────┐      ┌─────────────┐
    │ • TB/day    │      │ • Bypass egress │      │ • BitLocker │
    │ • No network│      │   charges       │      │ • Wiping    │
    │   bottleneck│      │ • Bulk pricing  │      │ • Chain of  │
    │ • Parallel  │      │ • Drive reuse   │      │   custody   │
    └─────────────┘      └─────────────────┘      └─────────────┘

Study this concept interactively in the AZ-104 app →

File Share Snapshots

Explanation

Azure Files snapshots capture the state of a file share at a specific point in time. Snapshots are read-only and provide protection against accidental deletion or corruption.

Examples

Creating snapshots before application updates, scheduled backup snapshots, recovery from accidental file deletion, point-in-time restore operations.

Enterprise Use Case

Used for backup and recovery, protecting against ransomware, creating restore points before changes, compliance and audit requirements.

Diagram

─────────────────────────────────────────────────────────────────┐
│                   📸 FILE SHARE SNAPSHOTS                      │
└─────────────────────────────────────────────────────────────────┘

    🕒 Snapshot Timeline
    ═══════════════════
    
    Current State              Snapshot History
    ─────────────             ──────────────────
    
    📁 FileShare "apps"        📸 Snapshot Chain
    ├── app1/                  ┌─────────────────────────────────┐
    │   ├── config.json        │ 🕐 09:00 - Morning Backup      │
    │   ├── data.db           │ ├── app1/config.json (v1.0)    │
    │   └── logs/             │ ├── app1/data.db (1MB)         │
    ├── app2/                  │ └── app2/readme.txt            │
    │   ├── readme.txt         │                                 │
    │   └── binary.exe         │ 🕑 12:00 - Pre-deployment      │
    └── shared/                │ ├── app1/config.json (v1.1)    │
        └── templates/         │ ├── app1/data.db (1.2MB)       │
                               │ ├── app2/readme.txt            │
                               │ └── app2/binary.exe (NEW)      │
    Live Share                 │                                 │
    ──────────                 │ 🕕 18:00 - End of Day         │
    • Read/Write               │ ├── app1/config.json (v1.2)    │
    • Current data             │ ├── app1/data.db (1.5MB)       │
    • Active changes           │ ├── app1/logs/ (NEW FOLDER)    │
                               │ ├── app2/binary.exe (UPDATED)  │
                               │ └── shared/templates/ (NEW)    │
                               └─────────────────────────────────┘

    ⚡ Snapshot Operations
    ═════════════════════

    📸 Create                   🔍 Browse                  🔄 Restore
    ┌─────────────────┐        ┌─────────────────┐        ┌─────────────────┐
    │ # Azure CLI     │        │ # List snapshots│        │ # File restore  │
    │ az storage      │        │ az storage share│        │ az storage file │
    │ share snapshot  │        │ list-snapshots  │        │ copy --source   │
    │ --name apps     │        │ --name apps     │        │ "snapshot-url"  │
    │                 │        │                 │        │ --destination   │
    │ # PowerShell    │        │ # Browse files  │        │ "/live/path"    │
    │ New-AzStorageShareSnapshot│ Get-AzStorageFile│      │                 │
    │ -Name "apps"    │        │ -ShareName apps │        │ # Full restore  │
    │                 │        │ -Snapshot $snap │        │ Restore entire  │
    │ # Portal        │        │                 │        │ share from      │
    │ File Share →    │        │ # Portal        │        │ snapshot        │
    │ Snapshots →     │        │ View historical │        │                 │
    │ + Create        │        │ file versions   │        └─────────────────┘
    └─────────────────┘        └─────────────────┘

    📊 Snapshot Features
    ═══════════════════

    💾 Storage Efficiency        🕐 Point-in-Time         🔒 Protection
    ┌─────────────────┐         ┌─────────────────┐       ┌─────────────────┐
    │ • Incremental   │         │ • Consistent    │       │ • Read-only     │
    │   changes only  │         │   state capture │       │ • Immutable     │
    │ • Share metadata│         │ • Atomic        │       │ • Ransomware    │
    │ • Reference-    │         │   operation     │       │   protection    │
    │   based         │         │ • Crash-        │       │ • Compliance    │
    │ • Cost effective│         │   consistent    │       │   archival      │
    └─────────────────┘         └─────────────────┘       └─────────────────┘

Study this concept interactively in the AZ-104 app →

Blob Soft Delete

Explanation

Blob soft delete protects against accidental deletion and modification by retaining deleted blobs and blob versions for a specified retention period. Data can be recovered before permanent deletion.

Examples

Recovering accidentally deleted blobs, protecting against application bugs, ransomware protection, compliance data retention requirements.

Enterprise Use Case

Used for data protection in production environments, meeting regulatory compliance, protecting critical business data, reducing data loss incidents.

Diagram

─────────────────────────────────────────────────────────────────┐
│                     🗂️ BLOB SOFT DELETE                        │
└─────────────────────────────────────────────────────────────────┘

    ♻️ Soft Delete Lifecycle
    ════════════════════════

    Active Blob                Soft Deleted              Permanent Delete
    ───────────               ──────────────             ────────────────
    
    📄 document.pdf           👻 document.pdf            ❌ [GONE]
    ├── Size: 2.5MB          ├── Size: 2.5MB            
    ├── Modified: Today      ├── Deleted: Today         After retention
    ├── Accessible: ✅       ├── Accessible: 🔍 Special period expires
    └── Operations: All      ├── Operations: Read-only  
                             ├── Retention: 7 days      
                             └── Status: SOFT_DELETED   

    🔄 Recovery Process
    ──────────────────
    
    1️⃣ List Deleted Blobs    2️⃣ Select Recovery        3️⃣ Restore Blob
    ┌─────────────────┐      ┌─────────────────┐       ┌─────────────────┐
    │ # Show deleted  │      │ # Choose blob   │       │ # Undelete      │
    │ az storage blob │      │ Select specific │       │ az storage blob │
    │ list --include- │      │ soft-deleted    │       │ undelete        │
    │ deleted         │      │ version         │       │ --name doc.pdf  │
    │                 │      │                 │       │                 │
    │ # PowerShell    │      │ # Validate      │       │ # PowerShell    │  
    │ Get-AzStorageBlob│      │ Check blob      │       │ Restore-        │
    │ -IncludeDeleted │      │ metadata and    │       │ AzStorageBlob   │
    │                 │      │ properties      │       │                 │
    │ # Portal        │      │                 │       │ # Portal        │
    │ Container →     │      │ # Portal        │       │ Deleted blobs → │
    │ Show deleted    │      │ Preview content │       │ Restore selected│
    └─────────────────┘      └─────────────────┘       └─────────────────┘

    ⚙️ Configuration Settings
    ════════════════════════

    📅 Retention Period         🏷️ Blob Types              🔧 Management
    ┌─────────────────┐        ┌─────────────────┐        ┌─────────────────┐
    │ • Min: 1 day    │        │ • Block blobs   │        │ # Enable        │
    │ • Max: 365 days │        │ • Append blobs  │        │ az storage      │
    │ • Default: 7    │        │ • Page blobs    │        │ account blob-   │
    │ • Configurable  │        │ • Snapshots     │        │ service-        │
    │   per account   │        │ • Versions      │        │ properties      │
    │ • Global policy │        │ • All metadata  │        │ update --soft-  │
    │ • Cost impact   │        │ • Access tiers  │        │ delete-enabled  │
    └─────────────────┘        └─────────────────┘        └─────────────────┘

    💰 Storage & Billing
    ═══════════════════

    📊 Billing Impact           🗄️ Storage Tiers          ⏱️ Time Tracking
    ┌─────────────────┐        ┌─────────────────┐        ┌─────────────────┐
    │ • Soft deleted  │        │ • Maintains     │        │ • Deletion time │
    │   blobs charged │        │   original tier │        │ • Retention     │
    │ • Same rate as  │        │ • Hot/Cool/     │        │   countdown     │
    │   active blobs  │        │   Archive       │        │ • Auto-purge    │
    │ • Until purged  │        │ • Tier changes  │        │   scheduling    │
    │ • Monitor usage │        │   preserved     │        │ • Audit logs    │
    └─────────────────┘        └─────────────────┘        └─────────────────┘

Study this concept interactively in the AZ-104 app →

Azure CDN (Content Delivery Network)

Explanation

Azure CDN is a global network of edge servers that cache and deliver content from locations closest to users. It improves performance, reduces latency, and decreases origin server load for web applications and static content.

Examples

Caching static website assets, streaming video content, accelerating API responses, delivering software downloads, mobile app content optimization.

Enterprise Use Case

Used by media companies for video streaming, e-commerce sites for faster page loads, gaming companies for content distribution, global applications requiring low latency.

Diagram

─────────────────────────────────────────────────────────────────┐
│                      🌐 AZURE CDN ARCHITECTURE                 │
└─────────────────────────────────────────────────────────────────┘

    🌍 Global Distribution Network
    ═════════════════════════════

    Origin Server                    Edge Locations Worldwide
    ─────────────                    ─────────────────────────

    🏢 Content Source                🌐 Global Edge Network
    ┌─────────────────────┐         ┌─────────────────────────────────┐
    │ 🌐 Web Application  │         │ 🇺🇸 North America (12 POPs)    │
    │ ├── Static assets   │         │ ├── Seattle, Los Angeles       │
    │ ├── Images/CSS/JS   │         │ ├── Chicago, New York         │
    │ ├── Videos/Media    │         │ ├── Dallas, Atlanta           │
    │ └── API responses   │         │                               │
    │                     │         │ 🇪🇺 Europe (8 POPs)           │
    │ 📊 Azure Storage    │◀═══════▶│ ├── London, Amsterdam         │
    │ ├── Blob containers │         │ ├── Frankfurt, Paris          │
    │ ├── Static websites │         │ ├── Madrid, Stockholm         │
    │ └── Media files     │         │                               │
    │                     │         │ 🌏 Asia Pacific (10 POPs)     │
    │ 💾 Azure App Service│         │ ├── Tokyo, Hong Kong          │
    │ ├── Web APIs       │         │ ├── Singapore, Sydney         │
    │ ├── Dynamic content │         │ ├── Seoul, Mumbai             │
    │ └── Custom domains  │         │ └── Taipei, Jakarta           │
    └─────────────────────┘         └─────────────────────────────────┘

    🔄 Content Delivery Flow
    ═══════════════════════

    User Request                     Cache Logic                    Response
    ────────────                     ─────────────                  ─────────

    1️⃣ User Access                  3️⃣ Edge Processing             5️⃣ Fast Delivery
    ┌─────────────────┐             ┌─────────────────────┐        ┌─────────────┐
    │ 👤 User (Tokyo) │             │ 🌐 Nearest Edge     │        │ ⚡ Cached    │
    │ Requests:       │────────────▶│ Server (Tokyo POP)  │───────▶│ Content     │
    │ • Website       │             │                     │        │ Delivered   │
    │ • Images        │             │ 🔍 Cache Check:     │        │             │
    │ • Videos        │             │ • HIT: Serve cached │        │ 📊 Benefits:│
    │ • APIs          │             │ • MISS: Fetch origin│        │ • Low latency│
    └─────────────────┘             │                     │        │ • High speed│
                                    │ ⏰ TTL Management:  │        │ • Reliability│
    2️⃣ DNS Resolution               │ • Cache duration    │        └─────────────┘
    ┌─────────────────┐             │ • Purge policies    │
    │ 📡 DNS queries  │             │ • Compression       │        6️⃣ Analytics
    │ Route to nearest│             │ • Optimization      │        ┌─────────────┐
    │ edge location   │             └─────────────────────┘        │ 📊 Metrics: │
    │ based on        │                         │                  │ • Hit ratio │
    │ geography       │             4️⃣ Origin Fetch               │ • Bandwidth │
    └─────────────────┘             ┌─────────────────────┐        │ • Requests  │
                                    │ 📥 If cache MISS:   │        │ • Errors    │
                                    │ • Fetch from origin │        │ • Geography │
                                    │ • Cache at edge     │        └─────────────┘
                                    │ • Deliver to user   │
                                    └─────────────────────┘

    ⚙️ CDN Configuration
    ═══════════════════

    🎯 Profile Types               🔧 Optimization Settings        📊 Features
    ┌─────────────────┐           ┌─────────────────────┐         ┌─────────────┐
    │ Standard Verizon│           │ • General web       │         │ • Custom    │
    │ Standard Akamai │           │ • Large file        │         │   domains   │
    │ Standard Microsoft│         │ • Video streaming   │         │ • SSL/TLS   │
    │ Premium Verizon │           │ • Dynamic site      │         │ • Compression│
    │                 │           │   acceleration     │         │ • Geo-      │
    │ Features vary:  │           │                     │         │   filtering │
    │ • Pricing       │           │ 🗄️ Caching Rules:   │         │ • Token auth│
    │ • Rules engine  │           │ • TTL policies      │         │ • Real-time │
    │ • Advanced      │           │ • Query strings     │         │   analytics │
    │   analytics     │           │ • Custom headers    │         │ • Purging   │
    └─────────────────┘           └─────────────────────┘         └─────────────┘

    💰 Cost Optimization
    ═══════════════════

    📊 Pricing Factors             🎯 Best Practices              ⚡ Performance
    ┌─────────────────┐           ┌─────────────────────┐         ┌─────────────┐
    │ • Data transfer │           │ • Optimize TTL      │         │ • 90%+ cache│
    │ • HTTP requests │           │ • Compress assets   │         │   hit ratio │
    │ • Geography     │           │ • Use query params  │         │ • <50ms     │
    │ • Profile type  │           │ • Minimize purging  │         │   response  │
    │ • SSL requests  │           │ • Batch operations  │         │ • 99.9%     │
    │                 │           │ • Monitor usage     │         │   uptime    │
    │ Free tier:      │           │                     │         │ • Global    │
    │ • 10GB/month    │           │ 🔄 Cache Strategies:│         │   reach     │
    │ • HTTP only     │           │ • Static: Long TTL  │         │ • Auto-     │
    │ • Basic rules   │           │ • Dynamic: Short    │         │   scaling   │
    └─────────────────┘           └─────────────────────┘         └─────────────┘

Study this concept interactively in the AZ-104 app →

Azure Storage Tiers

Explanation

Azure Storage tiers provide cost-effective data storage options based on access frequency. Hot, Cool, and Archive tiers offer different pricing and performance characteristics for blob storage optimization.

Examples

Hot tier for frequently accessed data, Cool tier for monthly backups, Archive tier for long-term compliance data, automated lifecycle policies for cost optimization.

Enterprise Use Case

Used for cost optimization in data archiving, backup strategies, compliance retention, media storage, and application data lifecycle management.

Diagram

─────────────────────────────────────────────────────────────────┐
│                     🌡️ AZURE STORAGE TIERS                     │
└─────────────────────────────────────────────────────────────────┘

    🔥 Tier Characteristics
    ══════════════════════

    🔥 HOT TIER                   🧊 COOL TIER                  🏔️ ARCHIVE TIER
    ───────────────               ────────────────              ────────────────

    💰 Cost: Higher storage       💰 Cost: Lower storage        💰 Cost: Lowest storage
    ⚡ Access: Instant            ⚡ Access: Instant             ⚡ Access: 1-15 hours
    📊 Frequency: Daily           📊 Frequency: Monthly          📊 Frequency: Rarely
    ⏱️ Min Duration: None         ⏱️ Min Duration: 30 days       ⏱️ Min Duration: 180 days
    
    ┌─────────────────────┐      ┌─────────────────────┐       ┌─────────────────────┐
    │ 🌐 Active websites  │      │ 💾 Monthly backups  │       │ 📋 Compliance data  │
    │ 📱 Mobile app data  │      │ 🔄 Recent archives   │       │ 🗄️ Long-term logs   │
    │ ⚡ Real-time logs   │      │ 📊 Quarterly reports │       │ 📚 Historical data  │
    │ 🖼️ User uploads     │      │ 🎬 Seasonal media    │       │ 🔐 Legal documents  │
    │ 🎮 Game assets      │      │ 📈 Analytics data    │       │ 💾 Disaster recovery│
    └─────────────────────┘      └─────────────────────┘       └─────────────────────┘

    💲 Pricing Comparison (per GB/month)
    ════════════════════════════════════

    Storage Costs                 Access Costs                  Transfer Costs
    ─────────────                ──────────────                ───────────────

    🔥 HOT:    $0.0208           🔥 HOT:    $0.00              🌐 Egress: $0.087/GB
    🧊 COOL:   $0.0125           🧊 COOL:   $0.01/GB          📤 Same as Hot/Cool
    🏔️ ARCHIVE: $0.0018          🏔️ ARCHIVE: $5.00/GB         💰 Higher for Archive

    Early Deletion Fees          Operation Costs               Minimum Duration
    ───────────────────         ─────────────────             ─────────────────

    🔥 HOT:    None              🔥 HOT:    Lowest             🔥 HOT:    None
    🧊 COOL:   30 days           🧊 COOL:   Medium             🧊 COOL:   30 days
    🏔️ ARCHIVE: 180 days         🏔️ ARCHIVE: Highest          🏔️ ARCHIVE: 180 days

    🔄 Lifecycle Management
    ══════════════════════

    Automated Tier Transitions    Policy Configuration          Cost Optimization
    ─────────────────────────     ─────────────────────        ─────────────────

    📅 Day 0: Upload → HOT        ⚙️ JSON Policy Rules          📊 Strategy Examples:
    ┌─────────────────────┐       ┌─────────────────────┐       ┌─────────────────┐
    │ 📄 New files        │       │ {                   │       │ • Logs: Hot→Cool│
    │ • Hot tier          │       │   "rules": [{       │       │   after 7 days  │
    │ • Immediate access  │       │     "name": "move", │       │ • Backups: Cool │
    │ • Highest cost      │       │     "enabled": true,│       │   → Archive     │
    └─────────────────────┘       │     "type": "Lifecycle"     │ • Media: Hot    │
              ↓                   │     "definition": { │       │   → Archive     │
    📅 Day 30: HOT → COOL         │       "actions": {  │       │   direct        │
    ┌─────────────────────┐       │         "baseBlob": {       │ • Compliance:   │
    │ 🧊 Monthly access    │       │           "tierToCool": {   │   Archive only  │
    │ • Lower storage     │       │             "daysAfter": 30 │ • Analytics:    │
    │ • Same access speed │       │           }         │       │   Hot→Cool      │
    │ • Reduced cost      │       │         }           │       │   →Archive      │
    └─────────────────────┘       │       }             │       └─────────────────┘
              ↓                   │     }]              │
    📅 Day 365: COOL → ARCHIVE    │   }                 │       🎯 Best Practices:
    ┌─────────────────────┐       └─────────────────────┘       ┌─────────────────┐
    │ 🏔️ Long-term storage │                                   │ • Monitor access│
    │ • Lowest cost       │       🔧 Implementation:           │   patterns      │
    │ • Rehydration req'd │       ┌─────────────────────┐       │ • Set appropriate│
    │ • 1-15 hour access  │       │ # Azure CLI         │       │   policies      │
    └─────────────────────┘       │ az storage blob     │       │ • Consider      │
                                  │ service-properties  │       │   compliance    │
                                  │ update --lifecycle  │       │ • Test restore  │
                                  │                     │       │   procedures    │
                                  │ # PowerShell        │       │ • Review costs  │
                                  │ Set-AzStorageBlob   │       │   regularly     │
                                  │ ServiceProperty     │       └─────────────────┘
                                  └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Storage Performance Tiers

Explanation

Azure Storage performance tiers provide different levels of throughput and IOPS capabilities. Standard performance uses HDD-based storage while Premium performance uses SSD-based storage for high-performance workloads.

Examples

Standard for general-purpose workloads, Premium for high-IOPS databases, Ultra SSD for mission-critical applications, Premium Files for high-performance file shares.

Enterprise Use Case

Used for database workloads requiring high IOPS, virtual machine disks with performance requirements, high-throughput analytics, and latency-sensitive applications.

Diagram

─────────────────────────────────────────────────────────────────┐
│                  ⚡ STORAGE PERFORMANCE TIERS                   │
└─────────────────────────────────────────────────────────────────┘

    🏎️ Performance Comparison
    ═════════════════════════

    📊 STANDARD (HDD)            🚀 PREMIUM (SSD)             ⚡ ULTRA SSD
    ──────────────────           ──────────────────           ─────────────

    💾 Storage: Magnetic HDD     💾 Storage: Premium SSD      💾 Storage: NVMe SSD
    ⚡ IOPS: Up to 500           ⚡ IOPS: Up to 20,000        ⚡ IOPS: Up to 160,000
    📈 Throughput: 60 MB/s       📈 Throughput: 900 MB/s      📈 Throughput: 4,000 MB/s
    ⏱️ Latency: 10-15ms          ⏱️ Latency: <5ms             ⏱️ Latency: <1ms
    💰 Cost: Lowest              💰 Cost: Medium              💰 Cost: Highest

    ┌─────────────────────┐     ┌─────────────────────┐      ┌─────────────────────┐
    │ 📁 File shares      │     │ 🗄️ SQL databases    │      │ 💾 Mission-critical │
    │ 📊 Data warehouses  │     │ 🎮 Gaming workloads │      │    databases        │
    │ 💾 Backup storage   │     │ 🌐 Web applications │      │ ⚡ Real-time        │
    │ 🗂️ Archive data     │     │ 📈 Analytics        │      │    analytics        │
    │ 📝 Development      │     │ 🖥️ VDI workloads    │      │ 🏦 Financial        │
    └─────────────────────┘     └─────────────────────┘      │    trading          │
                                                             └─────────────────────┘

    🎯 Workload Matching
    ═══════════════════

    💼 Use Case Analysis          📊 Performance Requirements    💰 Cost Considerations
    ───────────────────          ──────────────────────────    ────────────────────

    🔍 Assessment Questions:      📈 IOPS Requirements:         💲 Pricing Models:
    ┌─────────────────────┐      ┌─────────────────────┐       ┌─────────────────────┐
    │ • Access frequency? │      │ • <500: Standard    │       │ Standard:           │
    │ • Response time SLA?│      │ • 500-5K: Premium  │       │ • $/GB/month        │
    │ • Concurrent users? │      │ • 5K+: Premium/Ultra│       │ • Transaction costs │
    │ • Data size?        │      │                     │       │                     │
    │ • Budget constraints│      │ 📊 Throughput Needs:│       │ Premium:            │
    │                     │      │ • <60MB/s: Standard │       │ • Higher $/GB       │
    │ Workload Examples:  │      │ • 60-900: Premium  │       │ • No transactions   │
    │ • OLTP: Premium     │      │ • 900+: Ultra SSD   │       │                     │
    │ • OLAP: Standard    │      │                     │       │ Ultra SSD:          │
    │ • Archive: Standard │      │ ⏱️ Latency Targets: │       │ • Highest $/IOPS    │
    │ • Real-time: Ultra  │      │ • >10ms: Standard   │       │ • Pay per provision │
    └─────────────────────┘      │ • 5-10ms: Premium   │       │ • Granular scaling  │
                                 │ • <1ms: Ultra SSD   │       └─────────────────────┘
                                 └─────────────────────┘

    ⚙️ Configuration Options
    ═══════════════════════

    📋 Standard Storage          🚀 Premium Storage            ⚡ Ultra SSD Disks
    ──────────────────          ─────────────────────         ─────────────────

    🗄️ Account Types:            🎯 VM Disk Types:             🔧 Configurable:
    ┌─────────────────────┐     ┌─────────────────────┐       ┌─────────────────────┐
    │ • General Purpose v2│     │ • Premium SSD (P-series)    │ • IOPS: 2-160,000   │
    │ • Blob Storage      │     │   - P4: 120 IOPS    │       │ • Throughput:       │
    │ • Standard support  │     │   - P10: 500 IOPS   │       │   2-4,000 MB/s      │
    │ • LRS, ZRS, GRS     │     │   - P30: 5,000 IOPS │       │ • Size: 4GB-64TB    │
    │ • Hot/Cool tiers    │     │   - P80: 20,000     │       │ • Independent       │
    │                     │     │                     │       │   scaling           │
    │ 🌐 Services:        │     │ 📁 Premium Files:   │       │                     │
    │ • Blob Storage      │     │ • 100-100,000 IOPS  │       │ ⚠️ Limitations:     │
    │ • File Shares       │     │ • 100MB-10GB/s      │       │ • Zone availability │
    │ • Queue/Table       │     │ • Sub-ms latency    │       │ • Limited regions   │
    │ • Static websites   │     │ • SMB/NFS support   │       │ • Premium VMs only  │
    └─────────────────────┘     └─────────────────────┘       └─────────────────────┘

    📊 Monitoring & Optimization
    ═══════════════════════════

    📈 Key Metrics              🎯 Optimization Tips           🔧 Tools & Commands
    ──────────────              ─────────────────────         ──────────────────

    ⏱️ Performance Counters:     🚀 Performance Tuning:        🛠️ Azure CLI:
    ┌─────────────────────┐     ┌─────────────────────┐       ┌─────────────────┐
    │ • IOPS utilization  │     │ • Right-size disks  │       │ # Check metrics │
    │ • Throughput usage  │     │ • Use disk caching  │       │ az monitor      │
    │ • Latency patterns  │     │ • Optimize queue    │       │ metrics list    │
    │ • Queue depth       │     │   depth             │       │                 │
    │ • Error rates       │     │ • Consider stripe   │       │ # Scale disk    │
    │                     │     │   sets              │       │ az disk update  │
    │ 💰 Cost Tracking:   │     │ • Monitor bursting  │       │ --size-gb       │
    │ • Storage costs     │     │ • Plan capacity     │       │                 │
    │ • Transaction fees  │     │ • Use snapshots     │       │ # Premium Files │
    │ • Egress charges    │     │   efficiently       │       │ az storage      │
    └─────────────────────┘     └─────────────────────┘       │ share create    │
                                                              └─────────────────┘

Study this concept interactively in the AZ-104 app →

Container Soft Delete

Explanation

Container soft delete protects blob containers from accidental deletion by retaining deleted containers for a specified period. This feature works alongside blob soft delete to provide comprehensive data protection.

Examples

Recovering accidentally deleted containers, protecting against script errors, application bug protection, compliance data retention for entire containers.

Enterprise Use Case

Used for container-level data protection, DevOps pipeline safety, application deployment rollbacks, and regulatory compliance requirements.

Diagram

─────────────────────────────────────────────────────────────────┐
│                   📦 CONTAINER SOFT DELETE                     │
└─────────────────────────────────────────────────────────────────┘

    🗂️ Container Lifecycle
    ══════════════════════

    Active Container             Soft Deleted Container        Permanent Deletion
    ────────────────             ──────────────────────        ──────────────────

    📦 "web-assets"              👻 "web-assets" (deleted)     ❌ [GONE FOREVER]
    ├── 📷 images/               ├── 📷 images/ (preserved)    
    ├── 🎨 css/                  ├── 🎨 css/ (preserved)      After retention
    ├── ⚡ js/                   ├── ⚡ js/ (preserved)       period expires
    └── 📄 index.html            └── 📄 index.html (preserved)
    
    ✅ Status: Active            ⚠️ Status: SOFT_DELETED       🔴 Status: N/A
    🔓 Access: Full Read/Write   🔒 Access: Read-only restore  ⛔ Access: None
    💰 Billing: Standard rates   💰 Billing: Storage only      💰 Billing: None
    ⏰ Duration: Unlimited       ⏰ Duration: Retention period  ⏰ Duration: N/A

    🔄 Recovery Process
    ══════════════════

    1️⃣ List Deleted Containers   2️⃣ Select Container          3️⃣ Restore Container
    ┌─────────────────────┐      ┌─────────────────────┐       ┌─────────────────────┐
    │ # Azure CLI         │      │ # Verify contents   │       │ # Undelete command  │
    │ az storage container│      │ Check metadata and  │       │ az storage container│
    │ list --include-     │      │ blob inventory      │       │ restore --name      │
    │ deleted --account-  │      │                     │       │ "web-assets"        │
    │ name mystorageacct  │      │ # Validate restore  │       │ --deleted-version   │
    │                     │      │ Confirm container   │       │ "2024-01-15T10:30"  │
    │ # PowerShell        │      │ is correct version  │       │                     │
    │ Get-AzStorageContainer      │                     │       │ # PowerShell        │
    │ -IncludeDeleted     │      │ # Portal View       │       │ Restore-AzStorage   │
    │                     │      │ Browse deleted      │       │ Container -Name     │
    │ # Portal            │      │ container contents  │       │ "web-assets"        │
    │ Storage Explorer → │      │ in read-only mode   │       │                     │
    │ Show deleted        │      │                     │       │ # Portal            │
    └─────────────────────┘      └─────────────────────┘       │ Deleted containers→ │
                                                               │ Restore selected    │
                                                               └─────────────────────┘

    ⚙️ Configuration Settings
    ════════════════════════

    📅 Retention Policy          🛡️ Protection Scope           ⚡ Feature Interaction
    ──────────────────          ─────────────────────         ────────────────────

    🕐 Duration Options:         🎯 What's Protected:          🔗 Combined Protection:
    ┌─────────────────────┐     ┌─────────────────────┐       ┌─────────────────────┐
    │ • Min: 1 day        │     │ • Container metadata│       │ Container Soft Delete│
    │ • Max: 365 days     │     │ • All blobs inside  │       │        +             │
    │ • Default: 7 days   │     │ • Access policies   │       │ Blob Soft Delete     │
    │ • Account-level     │     │ • Public access     │       │        =             │
    │   setting           │     │ • Encryption        │       │ Complete Protection  │
    │                     │     │ • Lifecycle rules   │       │                     │
    │ 🔧 Configuration:   │     │                     │       │ Benefits:           │
    │ • Portal enable     │     │ ❌ Not Protected:   │       │ • Container +       │
    │ • CLI/PowerShell    │     │ • Storage account   │       │   blob recovery     │
    │ • ARM templates     │     │ • Compute resources │       │ • Comprehensive     │
    │ • REST API          │     │ • Network config    │       │   data protection   │
    └─────────────────────┘     └─────────────────────┘       └─────────────────────┘

    💡 Best Practices & Scenarios
    ════════════════════════════

    🎯 Common Use Cases          ⚠️ Important Considerations    📊 Monitoring & Alerts
    ──────────────────          ─────────────────────────     ────────────────────

    🚀 Deployment Safety:       💰 Cost Implications:         📈 Tracking Metrics:
    ┌─────────────────────┐     ┌─────────────────────┐       ┌─────────────────────┐
    │ • CI/CD pipelines   │     │ • Deleted containers│       │ • Deletion events   │
    │ • Blue/green deploy │     │   still incur costs │       │ • Recovery success  │
    │ • Canary releases   │     │ • Monitor retention │       │ • Storage usage     │
    │ • Rollback strategy │     │ • Set reasonable    │       │ • Cost tracking     │
    │                     │     │   retention periods │       │                     │
    │ 🛡️ Human Error:     │     │                     │       │ 🔔 Alert Setup:     │
    │ • Script mistakes   │     │ ⏰ Timing Factors:  │       │ • Container deletion│
    │ • Wrong environment │     │ • Recovery window   │       │ • Retention expiry  │
    │ • Bulk operations   │     │ • Business hours    │       │ • Failed restores   │
    │ • Permission errors │     │ • SLA requirements  │       │ • Unusual activity  │
    │                     │     │ • Audit trails      │       │                     │
    │ 📋 Compliance:      │     │                     │       │ # Enable alerts     │
    │ • Regulatory reqs   │     │ 🔒 Security Notes:  │       │ az monitor metrics  │
    │ • Data retention    │     │ • RBAC permissions  │       │ alert create        │
    │ • Audit requirements│     │ • Access logs       │       │ --condition         │
    │ • Legal holds       │     │ • Restore approval  │       │ "StorageDelete"     │
    └─────────────────────┘     └─────────────────────┘       └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure AD Authorization for Storage

Explanation

Azure AD authorization provides identity-based access control for Azure Storage using RBAC roles and fine-grained permissions. It integrates with corporate identity systems and provides comprehensive audit trails.

Examples

Assigning Storage Blob Data Reader to users, using managed identities for applications, conditional access policies, multi-factor authentication for storage access.

Enterprise Use Case

Enterprises use Azure AD authorization for centralized identity management, compliance requirements, zero-trust security models, and seamless user experience across cloud services.

Diagram

─────────────────────────────────────────────────────────────────┐
│                    🆔 AZURE AD STORAGE AUTHORIZATION            │
└─────────────────────────────────────────────────────────────────┘

    🔐 Identity-Based Access Control
    ═══════════════════════════════

    Azure AD Tenant                  Azure Storage Account
    ───────────────                  ─────────────────────

    👤 Users & Groups                📦 Storage Resources
    ┌─────────────────────┐         ┌─────────────────────────────────┐
    │ 👨‍💼 John (Developer)  │         │ 📁 Container: "app-data"        │
    │ 👩‍💼 Sarah (Manager)   │◄────────┤ ├── 📄 logs/                   │
    │ 👥 DevTeam Group     │ RBAC    │ ├── 📄 config/                 │
    │ 👥 DataAnalysts      │ Rules   │ └── 📄 backups/                │
    │                     │         │                                 │
    │ 🤖 App Registration  │         │ 📁 Container: "public-web"     │
    │ ├── ClientApp       │         │ ├── 📷 images/                  │
    │ ├── BackendAPI      │         │ ├── 🎨 css/                     │
    │ └── DataProcessor   │         │ └── ⚡ js/                      │
    └─────────────────────┘         └─────────────────────────────────┘

    📋 RBAC Role Assignments
    ═══════════════════════

    🔒 Built-in Storage Roles        🎯 Permission Scope             ⚙️ Assignment Methods
    ──────────────────────          ─────────────────────          ──────────────────

    🗂️ Storage Account Roles:        📊 Scope Hierarchy:            🌐 Azure Portal:
    ┌─────────────────────┐         ┌─────────────────────┐        ┌─────────────────┐
    │ • Owner             │         │ 🏢 Management Group │        │ • IAM blade     │
    │ • Contributor       │         │ ├── 📋 Subscription │        │ • Role assignment│
    │ • Reader            │         │ ├── 🏷️ Resource Group│       │ • Scope selection│
    │ • Storage Account   │         │ ├── 🗄️ Storage Account│      │ • User/group    │
    │   Contributor       │         │ └── 📦 Container/Share│       │   picker        │
    └─────────────────────┘         └─────────────────────┘        └─────────────────┘

    📄 Blob Data Roles:             🎛️ Fine-grained Control:       💻 Azure CLI:
    ┌─────────────────────┐         ┌─────────────────────┐        ┌─────────────────┐
    │ • Blob Data Owner   │         │ • Read permissions  │        │ az role         │
    │ • Blob Data        │         │ • Write permissions │        │ assignment      │
    │   Contributor       │         │ • Delete permissions│        │ create --role   │
    │ • Blob Data Reader  │         │ • List permissions  │        │ --assignee      │
    │ • Blob Delegator    │         │ • Execute perms     │        │ --scope         │
    └─────────────────────┘         └─────────────────────┘        └─────────────────┘

    🔄 Authentication Flow
    ═════════════════════

    1️⃣ Token Request               2️⃣ Identity Validation         3️⃣ Permission Check
    ┌─────────────────────┐       ┌─────────────────────┐        ┌─────────────────┐
    │ 👤 User Login       │       │ 🆔 Azure AD         │        │ 📊 RBAC Engine  │
    │ • Username/Password │──────▶│ • MFA verification  │───────▶│ • Role lookup   │
    │ • Certificate       │       │ • Conditional access│        │ • Scope check   │
    │ • Managed Identity  │       │ • Policy evaluation │        │ • Permission    │
    │                     │       │ • Token generation  │        │   validation    │
    │ 🔐 OAuth 2.0 Flow:  │       │                     │        │                 │
    │ • Authorization     │       │ 🎫 JWT Token:       │        │ ✅ Access       │
    │   Code Grant        │       │ • Claims            │        │ Decision:       │
    │ • Client Credentials│       │ • Expiration        │        │ • Allow/Deny    │
    │ • Device Code       │       │ • Signature         │        │ • Audit log     │
    └─────────────────────┘       └─────────────────────┘        └─────────────────┘
                │                           │                            │
                ▼                           ▼                            ▼
    4️⃣ Storage Access Request     5️⃣ Token Validation           6️⃣ Resource Access
    ┌─────────────────────┐       ┌─────────────────────┐        ┌─────────────────┐
    │ 📤 API Call         │       │ 🔍 Token Inspection │        │ 📁 Blob/File    │
    │ • Bearer token      │──────▶│ • Signature verify  │───────▶│   Operations    │
    │ • Resource URI      │       │ • Expiry check      │        │ • Read/Write    │
    │ • HTTP operation    │       │ • Audience validate │        │ • Delete/List   │
    │ • Request headers   │       │ • Claims extraction │        │ • Metadata      │
    └─────────────────────┘       └─────────────────────┘        └─────────────────┘

    💡 Best Practices & Benefits
    ═══════════════════════════

    🎯 Security Benefits           🛡️ Implementation Tips         📊 Monitoring & Compliance
    ─────────────────────         ─────────────────────────      ────────────────────────

    ✅ Advantages:                🔧 Setup Guidelines:           📈 Audit & Tracking:
    ┌─────────────────────┐       ┌─────────────────────┐       ┌─────────────────────┐
    │ • No shared secrets │       │ • Use least privilege│       │ • Azure AD logs     │
    │ • Centralized mgmt  │       │ • Assign to groups   │       │ • Storage analytics │
    │ • Audit trails      │       │ • Regular access     │       │ • Activity logs     │
    │ • MFA support       │       │   reviews           │       │ • Sign-in risks     │
    │ • Conditional access│       │ • Managed identities │       │ • Compliance        │
    │ • Time-based access │       │   for apps          │       │   reports           │
    │ • Risk-based auth   │       │ • Custom roles      │       │ • Access analytics  │
    │ • Zero trust ready  │       │   when needed       │       │ • Anomaly detection │
    └─────────────────────┘       └─────────────────────┘       └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Shared Access Signatures (SAS) Comprehensive

Explanation

Shared Access Signatures provide secure, granular, time-limited access to Azure Storage resources. SAS tokens can be scoped to specific resources, operations, and time periods without exposing storage account keys.

Examples

Temporary upload access for web forms, secure download links for files, delegated access for third-party applications, time-limited backup operations.

Enterprise Use Case

Organizations use SAS for secure file sharing, mobile app integrations, partner data exchange, scheduled data processing, and temporary access scenarios.

Diagram

─────────────────────────────────────────────────────────────────┐
│              🎫 SHARED ACCESS SIGNATURES (SAS) SYSTEM          │
└─────────────────────────────────────────────────────────────────┘

    🎭 SAS Token Types & Hierarchy
    ═════════════════════════════

    🏢 Account SAS                  📦 Service SAS                 👤 User Delegation SAS
    ──────────────                  ──────────────                 ──────────────────────

    🔐 Storage Account Key          🔐 Storage Account Key         🆔 Azure AD Credentials
    ┌─────────────────────┐        ┌─────────────────────┐        ┌─────────────────────┐
    │ ✅ All services     │        │ 🎯 Single service   │        │ 🛡️ Most secure      │
    │ ✅ Account-level    │        │ • Blob Storage      │        │ 🆔 Identity-based   │
    │ ✅ Cross-service    │        │ • File Storage      │        │ ⏰ Short-lived      │
    │    operations       │        │ • Queue Storage     │        │ 🔄 Renewable        │
    │ ⚠️ Broad permissions│        │ • Table Storage     │        │ 📊 Better auditing  │
    │                     │        │                     │        │ 🎯 Blob only        │
    │ Use Cases:          │        │ Use Cases:          │        │                     │
    │ • Cross-service     │        │ • Service-specific  │        │ Use Cases:          │
    │   operations        │        │   access            │        │ • User-scoped access│
    │ • Administrative    │        │ • API integrations  │        │ • Modern apps       │
    │   tasks             │        │ • Mobile apps       │        │ • Zero-trust model  │
    └─────────────────────┘        └─────────────────────┘        └─────────────────────┘

    🎛️ SAS Token Configuration
    ═══════════════════════════

    🗓️ Time Controls               🔒 Permission Controls          🎯 Resource Controls
    ────────────────               ─────────────────────          ─────────────────────

    ⏰ Temporal Restrictions:      📋 Operation Permissions:       📍 Scope Limitations:
    ┌─────────────────────┐       ┌─────────────────────┐         ┌─────────────────────┐
    │ • Start time (st)   │       │ 📖 Read (r)         │         │ • Service level     │
    │ • Expiry time (se)  │       │ 📝 Write (w)        │         │ • Container/Share   │
    │ • Max 7 days        │       │ 🗑️ Delete (d)       │         │ • Object level      │
    │   (best practice)   │       │ 📋 List (l)         │         │ • Path prefix       │
    │ • Auto-expiration   │       │ ➕ Add (a)          │         │ • IP restrictions   │
    │ • Clock skew        │       │ 🔧 Create (c)       │         │ • Protocol (HTTPS)  │
    │   tolerance         │       │ 📊 Update (u)       │         │ • Version control   │
    │ • UTC timezone      │       │ 🏷️ Process (p)      │         │ • Conditional headers│
    └─────────────────────┘       └─────────────────────┘         └─────────────────────┘

    🔧 SAS Generation Methods
    ═════════════════════════

    🌐 Azure Portal                💻 Azure CLI                   ⚡ PowerShell
    ──────────────                ────────────                   ─────────────

    🖱️ GUI-based generation:       📟 Command-line interface:     🔷 PowerShell cmdlets:
    ┌─────────────────────┐       ┌─────────────────────┐        ┌─────────────────────┐
    │ 1. Navigate to      │       │ # Generate blob SAS │        │ # Service SAS       │
    │    storage account  │       │ az storage blob     │        │ New-AzStorageBlob   │
    │ 2. Select container │       │ generate-sas        │        │ SasToken            │
    │ 3. Choose "Generate │       │ --account-name      │        │ -Container $cont    │
    │    SAS"            │       │ myaccount           │        │ -Blob $blob         │
    │ 4. Set permissions  │       │ --container-name    │        │ -Permission r       │
    │ 5. Configure expiry │       │ mycontainer         │        │ -ExpiryTime $exp    │
    │ 6. Copy token       │       │ --name myblob.txt   │        │                     │
    │                     │       │ --permissions r     │        │ # Account SAS       │
    │ ✅ User-friendly     │       │ --expiry            │        │ New-AzStorageAccount│
    │ ⚠️ Limited options   │       │ 2024-12-31T23:59Z   │        │ SasToken -Service   │
    └─────────────────────┘       └─────────────────────┘        │ b -ResourceType sco │
                                                                 └─────────────────────┘

    📊 SAS Token Structure & Usage
    ══════════════════════════════

    🎫 Token Anatomy                📤 Usage Patterns              🔍 Security Considerations
    ────────────────               ─────────────────             ─────────────────────────

    🔗 URL Structure:               💡 Common Implementations:     ⚠️ Security Best Practices:
    ┌─────────────────────────────┐ ┌─────────────────────┐       ┌─────────────────────┐
    │ https://account.blob.core.  │ │ 🌐 Web Applications: │       │ • Minimize permissions│
    │ windows.net/container/      │ │ • File upload forms │       │ • Short expiration  │
    │ blob.txt?                   │ │ • Download portals  │       │ • HTTPS only        │
    │                             │ │ • Media streaming   │       │ • IP restrictions   │
    │ Query Parameters:           │ │                     │       │ • Monitor usage     │
    │ • sv=2020-04-08 (version)   │ │ 📱 Mobile Apps:     │       │ • Revoke if needed  │
    │ • ss=b (service)            │ │ • Photo uploads     │       │ • Rotate keys       │
    │ • srt=o (resource type)     │ │ • Document sync     │       │ • Log access        │
    │ • sp=r (permissions)        │ │ • Offline cache     │       │ • Validate tokens   │
    │ • se=2024-12-31 (expiry)    │ │                     │       │                     │
    │ • sig=<signature>           │ │ 🔗 API Integration: │       │ ❌ Anti-patterns:    │
    └─────────────────────────────┘ │ • Partner systems   │       │ • Long expiration   │
                                    │ • Data pipelines    │       │ • Broad permissions │
                                    │ • Backup solutions  │       │ • HTTP usage        │
                                    └─────────────────────┘       └─────────────────────┘

    🛠️ Advanced SAS Features
    ════════════════════════

    📋 Stored Access Policies       🔄 SAS Renewal Strategies      📊 Monitoring & Analytics
    ──────────────────────         ────────────────────────       ─────────────────────

    🗂️ Policy-based SAS:            🔄 Rotation Approaches:        📈 Tracking Usage:
    ┌─────────────────────┐         ┌─────────────────────┐       ┌─────────────────────┐
    │ • Container level   │         │ 🕐 Time-based:      │       │ • Storage Analytics │
    │ • Centralized mgmt  │         │   • Auto-renewal    │       │ • Request logs      │
    │ • Bulk revocation   │         │   • Scheduled tasks │       │ • Metrics tracking  │
    │ • Policy updates    │         │                     │       │ • Usage patterns    │
    │ • Simplified tokens │         │ 📊 Usage-based:     │       │ • Cost analysis     │
    │                     │         │   • Demand triggers │       │ • Security audits   │
    │ Benefits:           │         │   • Load monitoring │       │ • Error tracking    │
    │ • Easier management │         │                     │       │ • Performance       │
    │ • Instant revocation│         │ 🔒 Security-based:  │       │   monitoring        │
    │ • Consistent policy │         │   • Risk assessment │       │ • Compliance        │
    │ • Audit compliance  │         │   • Anomaly detection│      │   reporting         │
    └─────────────────────┘         └─────────────────────┘       └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Storage Account Access Keys

Explanation

Storage account access keys provide full administrative access to Azure Storage accounts. Each account has two keys for rotation purposes, and they grant unrestricted access to all storage services and operations.

Examples

Application configuration for legacy systems, administrative scripts, emergency access scenarios, service-to-service authentication for trusted environments.

Enterprise Use Case

Organizations use access keys for legacy application integration, administrative automation, disaster recovery procedures, and scenarios where Azure AD integration is not feasible.

Diagram

─────────────────────────────────────────────────────────────────┐
│                     🔑 STORAGE ACCOUNT ACCESS KEYS             │
└─────────────────────────────────────────────────────────────────┘

    🔐 Key Management Architecture
    ═════════════════════════════

    Storage Account                  Access Key System              Service Access
    ───────────────                  ─────────────────              ──────────────

    🏪 mystorageaccount              🔑 Dual Key System             🌐 All Storage Services
    ┌─────────────────────┐         ┌─────────────────────┐        ┌─────────────────────┐
    │ 📊 Account Settings │         │ 🔑 Primary Key      │        │ 📁 Blob Storage     │
    │ ├── Performance     │◄────────┤ • key1 (active)     │───────▶│ • Containers        │
    │ ├── Replication     │         │ • 512-bit length    │        │ • Blob operations   │
    │ ├── Access Tier     │         │ • Base64 encoded    │        │                     │
    │ └── Networking      │         │ • Full permissions  │        │ 📄 File Storage     │
    │                     │         │                     │        │ • File shares       │
    │ 🔒 Security Config  │         │ 🔑 Secondary Key    │        │ • File operations   │
    │ ├── Encryption      │         │ • key2 (standby)    │        │                     │
    │ ├── Firewall        │         │ • Independent       │        │ 📋 Queue Storage    │
    │ ├── Private endpoints │       │ • Rotation ready    │        │ • Message queues    │
    │ └── Access Keys     │         │ • Same permissions  │        │ • Queue operations  │
    └─────────────────────┘         └─────────────────────┘        │                     │
                                            │                      │ 📊 Table Storage    │
                                            ▼                      │ • NoSQL tables      │
                                    ⚙️ Key Rotation:               │ • Entity operations │
                                    • Zero-downtime                └─────────────────────┘
                                    • Independent keys
                                    • Scheduled updates
                                    • Emergency regeneration

    🔧 Access Methods & Authentication
    ═════════════════════════════════

    🌐 REST API Access              💻 SDK Integration              📟 CLI Tools
    ─────────────────────          ──────────────────             ─────────────

    🔗 HTTP Authorization:          👨‍💻 Application Code:            🛠️ Command Line:
    ┌─────────────────────┐        ┌─────────────────────┐         ┌─────────────────┐
    │ # Request Headers   │        │ # .NET Example      │         │ # Azure CLI     │
    │ Authorization:      │        │ var account = new   │         │ az storage blob │
    │ SharedKey           │        │ CloudStorageAccount │         │ upload          │
    │ mystorageacct:      │        │ (connString);       │         │ --account-key   │
    │ <signature>         │        │                     │         │ <access-key>    │
    │                     │        │ # Python Example    │         │                 │
    │ x-ms-date:          │        │ from azure.storage  │         │ # PowerShell    │
    │ Thu, 15 Dec 2024    │        │ import BlobClient   │         │ Set-AzStorage   │
    │ GMT                 │        │                     │         │ Context         │
    │                     │        │ client = BlobClient │         │ -StorageAccount │
    │ x-ms-version:       │        │ .from_connection    │         │ Name $account   │
    │ 2020-04-08          │        │ _string(conn_str)   │         │ -StorageAccount │
    └─────────────────────┘        └─────────────────────┘         │ Key $key        │
                                                                   └─────────────────┘

    ⚡ Key Rotation Strategy
    ══════════════════════

    🔄 Zero-Downtime Rotation       📅 Rotation Schedule           🔔 Monitoring & Alerts
    ──────────────────────         ─────────────────             ─────────────────────

    📊 Rotation Process:            🗓️ Recommended Timeline:       📈 Key Usage Tracking:
    ┌─────────────────────┐        ┌─────────────────────┐        ┌─────────────────────┐
    │ 1. 🔍 Inventory     │        │ 📅 Regular Schedule:│        │ • Access patterns   │
    │    current usage    │        │ • Every 90 days     │        │ • Application logs  │
    │                     │        │ • Compliance driven │        │ • Failed attempts   │
    │ 2. 🔑 Regenerate    │        │ • Risk assessment   │        │ • Usage analytics   │
    │    secondary key    │        │                     │        │                     │
    │                     │        │ ⚠️ Emergency Rotation:│       │ 🚨 Alert Triggers:  │
    │ 3. 🔄 Update apps   │        │ • Security breach   │        │ • Suspicious access │
    │    to use key2      │        │ • Key exposure      │        │ • Failed auth       │
    │                     │        │ • Staff changes     │        │ • Unusual patterns  │
    │ 4. ✅ Validate     │        │ • Audit findings    │        │ • Compliance gaps   │
    │    app functionality│        │                     │        │                     │
    │                     │        │ 🎯 Planning Factors:│        │ 📊 Reporting:       │
    │ 5. 🔑 Regenerate    │        │ • App dependencies  │        │ • Key age tracking  │
    │    primary key      │        │ • Maintenance       │        │ • Rotation history  │
    │                     │        │   windows           │        │ • Compliance status │
    │ 6. 🔄 Update apps   │        │ • Team availability │        │ • Security metrics  │
    │    back to key1     │        │ • Testing cycles    │        └─────────────────────┘
    └─────────────────────┘        └─────────────────────┘

    ⚠️ Security Considerations & Best Practices
    ═══════════════════════════════════════════

    🛡️ Security Measures           🎯 Usage Guidelines             📋 Compliance Requirements
    ─────────────────────         ──────────────────             ──────────────────────

    🔒 Protection Strategies:       ✅ Best Practices:             📊 Audit & Governance:
    ┌─────────────────────┐        ┌─────────────────────┐        ┌─────────────────────┐
    │ 🗄️ Secure Storage:   │        │ • Limit usage scope │        │ • Access logging    │
    │ • Azure Key Vault   │        │ • Regular rotation  │        │ • Change tracking   │
    │ • App configuration │        │ • Environment       │        │ • Compliance        │
    │ • Environment vars  │        │   separation        │        │   reporting         │
    │ • Encrypted files   │        │ • Monitor usage     │        │ • Risk assessment   │
    │                     │        │ • Document policies │        │ • Security reviews  │
    │ 🚫 Avoid:            │        │                     │        │                     │
    │ • Plain text files  │        │ 🎯 Preferred        │        │ 📋 Documentation:   │
    │ • Source code       │        │   Alternatives:     │        │ • Key inventory     │
    │ • Public repos      │        │ • Azure AD (OAuth)  │        │ • Rotation logs     │
    │ • Email/Slack       │        │ • Managed Identity  │        │ • Access policies   │
    │ • Unencrypted DBs   │        │ • SAS tokens        │        │ • Incident response │
    │ • Client-side code  │        │ • Service principals│        │ • Recovery procedures│
    └─────────────────────┘        └─────────────────────┘        └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Storage Encryption with Customer-Managed Keys

Explanation

Azure Storage encryption protects data at rest using 256-bit AES encryption. While Microsoft-managed keys are default, Customer-Managed Keys (CMK) provide additional control over encryption keys through Azure Key Vault integration.

Examples

Using Azure Key Vault for key management, automatic key rotation policies, compliance with regulatory requirements, geo-redundant key backup strategies.

Enterprise Use Case

Organizations implement CMK for enhanced security control, compliance requirements (FIPS 140-2), regulatory mandates, and sovereign data protection needs.

Diagram

─────────────────────────────────────────────────────────────────┐
│                🔐 STORAGE ENCRYPTION WITH CMK                  │
└─────────────────────────────────────────────────────────────────┘

    🛡️ Encryption Architecture
    ══════════════════════════

    Key Management Service           Storage Account                 Data Protection
    ──────────────────────          ───────────────                ──────────────

    🔑 Azure Key Vault              📦 Storage Encryption          🔒 Encrypted Data
    ┌─────────────────────┐        ┌─────────────────────┐         ┌─────────────────┐
    │ 🏦 Premium HSM      │        │ 🎛️ Encryption       │         │ 📄 Blob Data    │
    │ • Hardware Security │◄───────┤   Configuration     │────────▶│ • AES-256       │
    │   Modules           │ Key    │ • CMK enabled       │ Encrypt │ • Transparent   │
    │ • FIPS 140-2 L2     │ Fetch  │ • Key Vault URI     │   /     │ • At-rest       │
    │                     │        │ • Key identifier    │ Decrypt │                 │
    │ 🔄 Key Operations:  │        │                     │         │ 📁 File Data    │
    │ • Create            │        │ 📊 Encryption       │         │ • Share level   │
    │ • Rotate            │        │   Scope:            │         │ • File level    │
    │ • Backup            │        │ • Account level     │         │ • Metadata      │
    │ • Recover           │        │ • Service level     │         │                 │
    │ • Audit             │        │ • Container level   │         │ 📋 Other Data   │
    │                     │        │                     │         │ • Queue messages│
    │ 🎯 Access Control:  │        │ ⚙️ Key Management:  │         │ • Table entities│
    │ • RBAC              │        │ • Automatic refresh │         │ • Temp data     │
    │ • Access policies   │        │ • Grace period      │         │ • Cache data    │
    │ • Managed Identity  │        │ • Fallback to MSK   │         │ • Log files     │
    └─────────────────────┘        └─────────────────────┘         └─────────────────┘

    🔧 CMK Implementation Types
    ══════════════════════════

    👤 Customer-Managed Keys        🤖 Customer-Provided Keys      📊 Comparison Matrix
    ─────────────────────────      ────────────────────────       ─────────────────────

    🏦 Key Vault Integration:       💻 Application-Provided:       📋 Feature Comparison:
    ┌─────────────────────┐        ┌─────────────────────┐        ┌─────────────────────┐
    │ ✅ Centralized      │        │ 📤 Request-level    │        │         │ CMK │ CPK │
    │    management       │        │    encryption       │        │ ────────┼─────┼─────│
    │ ✅ Automatic        │        │ 🔑 Client manages   │        │ Setup   │ Med │ Low │
    │    rotation         │        │    keys             │        │ Control │High │Max  │
    │ ✅ Audit trail      │        │ ⚡ Per-request      │        │ Mgmt    │Auto │Man  │
    │ ✅ Compliance       │        │    keys             │        │ Scope   │Acct │Req  │
    │ ✅ Backup/Recovery  │        │ 🎯 Fine-grained     │        │ Audit   │Full │Lim  │
    │                     │        │    control          │        │ Rotate  │Auto │Man  │
    │ 🔄 Key Lifecycle:   │        │                     │        │ Backup  │Yes  │No   │
    │ • Auto-generated    │        │ ⚠️ Considerations:   │        │ Cost    │Low  │None │
    │ • Policy-driven     │        │ • No auto-rotation  │        │ Risk    │Low  │High │
    │ • Versioned         │        │ • Client complexity │        └─────────┴─────┴─────┘
    │ • Soft-deletable    │        │ • No backup/recover │
    └─────────────────────┘        └─────────────────────┘

    ⚙️ Configuration & Setup Process
    ═══════════════════════════════

    1️⃣ Key Vault Preparation       2️⃣ Service Identity           3️⃣ Encryption Config
    ┌─────────────────────┐        ┌─────────────────────┐       ┌─────────────────────┐
    │ # Create Key Vault  │        │ # Enable Identity   │       │ # Configure CMK     │
    │ az keyvault create  │        │ az storage account  │       │ az storage account  │
    │ --name $kvName      │        │ update --assign-    │       │ encryption-scope    │
    │ --resource-group    │        │ identity            │       │ create --account-   │
    │ $rgName            │        │                     │       │ name $storageAcct   │
    │ --location $region  │        │ # Grant permissions │       │ --name $scopeName   │
    │ --enable-purge-     │        │ az keyvault set-    │       │ --key-uri $keyUri   │
    │ protection          │        │ policy --name       │       │                     │
    │ --enable-soft-      │        │ $kvName --object-id │       │ # Set as default    │
    │ delete              │        │ $storageIdentity    │       │ az storage account  │
    │                     │        │ --key-permissions   │       │ update --default-   │
    │ # Create key        │        │ get unwrapKey       │       │ encryption-scope    │
    │ az keyvault key     │        │ wrapKey             │       │ $scopeName          │
    │ create --vault-name │        └─────────────────────┘       └─────────────────────┘
    │ $kvName --name      │
    │ $keyName --kty RSA  │        4️⃣ Validation & Testing     5️⃣ Monitoring Setup
    │ --size 2048         │        ┌─────────────────────┐       ┌─────────────────────┐
    └─────────────────────┘        │ # Verify encryption │       │ # Enable logging    │
                                   │ az storage blob     │       │ az monitor          │
                                   │ upload --account-   │       │ diagnostic-settings │
                                   │ name $storageAcct   │       │ create --resource   │
                                   │ --container test    │       │ $storageResourceId  │
                                   │ --file sample.txt   │       │ --logs '[{          │
                                   │                     │       │   "category":       │
                                   │ # Check encryption  │       │   "StorageRead",    │
                                   │ az storage blob     │       │   "enabled": true   │
                                   │ show --account-name │       │ }]' --workspace     │
                                   │ $storageAcct        │       │ $logAnalyticsId     │
                                   │ --container test    │       └─────────────────────┘
                                   │ --name sample.txt   │
                                   └─────────────────────┘

    📊 Monitoring, Compliance & Troubleshooting
    ═══════════════════════════════════════════

    📈 Monitoring & Alerts         📋 Compliance Features        🔧 Troubleshooting Guide
    ──────────────────────        ──────────────────────        ───────────────────────

    🔍 Key Metrics to Track:       ✅ Regulatory Support:        ⚠️ Common Issues:
    ┌─────────────────────┐       ┌─────────────────────┐       ┌─────────────────────┐
    │ • Key access count  │       │ 🏛️ Compliance:      │       │ 🚫 Access denied:   │
    │ • Encryption        │       │ • FIPS 140-2        │       │ • Check permissions │
    │   failures          │       │ • HIPAA             │       │ • Verify identity   │
    │ • Key rotation      │       │ • SOX               │       │ • Key Vault access  │
    │   status            │       │ • PCI DSS           │       │                     │
    │ • Unauthorized      │       │ • GDPR              │       │ ⏱️ Performance:     │
    │   access attempts   │       │                     │       │ • Key caching       │
    │                     │       │ 📊 Audit Features: │       │ • Network latency   │
    │ 🚨 Alert Rules:     │       │ • Key usage logs    │       │ • Throttling limits │
    │ • Key unavailable   │       │ • Access patterns   │       │                     │
    │ • Rotation failures │       │ • Policy violations │       │ 🔄 Recovery:        │
    │ • Policy violations │       │ • Change tracking   │       │ • Key backup        │
    │ • Unusual access    │       │ • Compliance        │       │ • Emergency access  │
    │ • Performance       │       │   reporting         │       │ • Rollback plans    │
    │   degradation       │       │ • Risk assessment   │       │ • Support channels  │
    └─────────────────────┘       └─────────────────────┘       └─────────────────────┘

Study this concept interactively in the AZ-104 app →

Deploy ARM Templates

Explanation

ARM template deployment involves submitting templates to Azure Resource Manager for resource creation. Deployments can be made through portal, CLI, PowerShell, or DevOps pipelines.

Examples

Portal template deployment, CLI deployment with parameter files, PowerShell deployment automation, DevOps pipeline integration.

Enterprise Use Case

Organizations deploy templates for infrastructure provisioning, application deployment, disaster recovery, and environment standardization.

Diagram

Template Deployment:
[Template + Parameters] → [Azure Resource Manager] → [Resources Created]
         |                        |                          |
[JSON Files]              [Validation]                 [Infrastructure]
                         [Deployment]                  [Applications]

Study this concept interactively in the AZ-104 app →

Configure Object Replication

Explanation

Object replication automatically copies block blobs between storage accounts across regions or within the same region. It provides asynchronous replication for disaster recovery, latency reduction, and data distribution.

Examples

Replicating data from primary to secondary region, copying frequently accessed data closer to users, maintaining backup copies in different regions, distributing content globally.

Enterprise Use Case

Organizations use object replication for disaster recovery, improving application performance by reducing latency, compliance with data residency requirements, and global content distribution.

Diagram

Object Replication Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                    🔄 OBJECT REPLICATION FLOW                  │
└─────────────────────────────────────────────────────────────────┘

    Source Storage Account              Destination Storage Account
    ┌─────────────────────┐                ┌─────────────────────┐
    │   📦 Container A    │────────────────│   📦 Container A    │
    │                     │   Replication  │                     │
    │   ┌─────────────┐   │   Rules & Flow │   ┌─────────────┐   │
    │   │📄 blob1.txt │   │                │   │📄 blob1.txt │   │
    │   │📄 blob2.png │   │ ──async copy──▶│   │📄 blob2.png │   │
    │   │📄 blob3.pdf │   │                │   │📄 blob3.pdf │   │
    │   └─────────────┘   │                │   └─────────────┘   │
    └─────────────────────┘                └─────────────────────┘
    
Configuration Requirements:
──────────────────────────
✅ Source: General-purpose v2, Premium Block Blob
✅ Destination: General-purpose v2, Premium Block Blob  
✅ Version Control: Enabled on both accounts
✅ Change Feed: Enabled on source account

CLI Configuration:
─────────────────
az storage blob replication-rule create \
  --resource-group myResourceGroup \
  --storage-account mySourceAccount \
  --destination-account myDestAccount \
  --destination-container myDestContainer \
  --source-container mySourceContainer

Study this concept interactively in the AZ-104 app →

AzCopy Command-Line Tool

Explanation

AzCopy is a command-line utility for copying data to and from Azure storage accounts. It provides high-performance data transfer with support for large files, directory synchronization, and resume capabilities.

Examples

Bulk uploading files to blob storage, synchronizing directories, copying between storage accounts, migrating data from AWS S3, transferring large datasets efficiently.

Enterprise Use Case

Organizations use AzCopy for data migration, backup operations, synchronizing on-premises data with cloud storage, and automating file transfers in DevOps pipelines.

Diagram

AzCopy Operations & Performance:

┌─────────────────────────────────────────────────────────────────┐
│                      🚀 AZCOPY ARCHITECTURE                     │
└─────────────────────────────────────────────────────────────────┘

    Local File System              Azure Storage Account
    ┌─────────────────────┐        ┌─────────────────────────┐
    │   📁 /data/         │        │   📦 Blob Container     │
    │   ├─ file1.zip      │        │   ├─ file1.zip         │
    │   ├─ file2.txt      │ ──────▶│   ├─ file2.txt         │
    │   ├─ folder1/       │ Upload │   ├─ folder1/          │
    │   └─ folder2/       │        │   └─ folder2/          │
    └─────────────────────┘        └─────────────────────────┘
                │                                │
                ▼                                ▼
    ┌─────────────────────┐        ┌─────────────────────────┐
    │   📁 /backup/       │        │   📦 File Share        │
    │   (synchronized)    │◀────── │   (source data)        │
    └─────────────────────┘  Sync  └─────────────────────────┘

Common Commands:
──────────────
# Upload files
azcopy copy '/local/path/*' 'https://account.blob.core.windows.net/container?SAS'

# Download files  
azcopy copy 'https://account.blob.core.windows.net/container?SAS' '/local/path/'

# Sync directories
azcopy sync '/local/path/' 'https://account.blob.core.windows.net/container?SAS'

# Copy between accounts
azcopy copy 'https://source.blob.core.windows.net/container?SAS' \
           'https://dest.blob.core.windows.net/container?SAS'

Performance Features:
───────────────────
🔄 Parallel transfers (10 concurrent by default)
📊 Progress reporting and logging
⏸️  Resume interrupted transfers
🔐 SAS token and OAuth authentication
🎯 Pattern matching and filtering

Study this concept interactively in the AZ-104 app →

Manage Azure Resources

Explanation

Azure resource management involves using various tools and interfaces to create, configure, monitor, and maintain cloud resources. Azure provides multiple management options including Portal, CLI, PowerShell, and ARM templates for different scenarios.

Examples

Creating VMs through Portal, managing storage with CLI, automating deployments with PowerShell, using ARM templates for infrastructure as code, monitoring resources with Azure Monitor.

Enterprise Use Case

Organizations use multiple management tools for different scenarios: Portal for visual management, CLI for scripting, PowerShell for Windows integration, and ARM templates for standardized deployments.

Diagram

Azure Resource Management Ecosystem:

┌─────────────────────────────────────────────────────────────────┐
│                 🎛️ AZURE RESOURCE MANAGEMENT                    │
└─┬───────────────────────────────────────────────────────────┬───┘
  │                                                           │
  ▼                                                           ▼
🌐 AZURE PORTAL                          💻 COMMAND LINE TOOLS
┌─────────────────────────────────┐      ┌─────────────────────────────────┐
│                                 │      │                                 │
│ 🖱️ Visual Interface:             │      │ ⚡ PowerShell:                  │
│ • Point-and-click operations    │      │ • Object-oriented cmdlets       │
│ • Graphical dashboards          │      │ • Windows integration           │
│ • Wizard-driven workflows       │      │ • Advanced scripting            │
│ • Real-time resource monitoring │      │ • Pipeline operations           │
│                                 │      │                                 │
│ 🎯 Best For:                    │      │ 💾 Azure CLI:                   │
│ • Learning and exploration      │      │ • Cross-platform commands       │
│ • One-off configurations        │      │ • JSON output format            │
│ • Visual troubleshooting        │      │ • Bash/shell integration        │
│ • Non-technical users          │      │ • Lightweight operations        │
│                                 │      │                                 │
│ 📊 Features:                    │      │ 🔧 Both Support:               │
│ • Resource groups view          │      │ • Automation and scripting      │
│ • Cost management               │      │ • Batch operations              │
│ • Activity logs                 │      │ • Infrastructure as Code        │
│ • Resource health               │      │ • DevOps integration            │
│                                 │      │                                 │
└─────────────────────────────────┘      └─────────────────────────────────┘
         │                                        │
         ▼                                        ▼
☁️ AZURE CLOUD SHELL               📜 ARM TEMPLATES & BICEP
┌─────────────────────────────────┐      ┌─────────────────────────────────┐
│                                 │      │                                 │
│ 🌍 Browser-Based Terminal:       │      │ 🏗️ Infrastructure as Code:       │
│ • No local installation needed  │      │ • Declarative resource defs    │
│ • Pre-installed tools           │      │ • Version control friendly     │
│ • Persistent storage            │      │ • Repeatable deployments       │
│ • Both PowerShell and Bash      │      │ • Parameterized templates      │
│                                 │      │                                 │
│ 💾 Built-in Tools:              │      │ 📋 ARM Templates (JSON):       │
│ • Azure CLI                     │      │ {                               │
│ • Azure PowerShell              │      │   "$schema": "...",             │
│ • Git, Docker, kubectl          │      │   "contentVersion": "1.0.0.0",  │
│ • Text editors (vim, nano)      │      │   "parameters": {...},          │
│                                 │      │   "resources": [...]            │
│ 🔄 Session Features:            │      │ }                               │
│ • 20GB persistent storage       │      │                                 │
│ • File upload/download          │      │ 🔹 Bicep (DSL):                │
│ • Multiple concurrent sessions  │      │ resource vm 'Microsoft.Compute  │
│ • Integration with Git repos    │      │   /virtualMachines@2021-03-01'  │
│                                 │      │                                 │
└─────────────────────────────────┘      └─────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    🎯 MANAGEMENT SCENARIOS                       │
└─────────────────────────────────────────────────────────────────┘

Development & Learning:           Production Operations:           Automation & DevOps:
═══════════════════════          ══════════════════════          ═══════════════════

🎓 Scenario: Learning Azure      🏭 Scenario: Production Mgmt     🤖 Scenario: CI/CD Pipeline
┌─────────────────────────────┐  ┌─────────────────────────────┐  ┌─────────────────────────────┐
│ Tool: Azure Portal          │  │ Tool: PowerShell Scripts    │  │ Tool: ARM Templates         │
│ • Visual exploration        │  │ • Standardized operations   │  │ • Version-controlled infra  │
│ • Interactive tutorials     │  │ • Bulk resource management  │  │ • Automated deployments     │
│ • Resource relationship     │  │ • Error handling & logging  │  │ • Environment consistency   │
│   visualization            │  │ • Role-based access         │  │ • Rollback capabilities     │
└─────────────────────────────┘  └─────────────────────────────┘  └─────────────────────────────┘

Quick Troubleshooting:           Cross-Platform Development:      Enterprise Governance:
════════════════════            ═══════════════════════════      ══════════════════════

🔍 Scenario: Resource Issues    🌐 Scenario: Multi-Platform     🏢 Scenario: Policy Compliance
┌─────────────────────────────┐  ┌─────────────────────────────┐  ┌─────────────────────────────┐
│ Tool: Cloud Shell           │  │ Tool: Azure CLI             │  │ Tool: Portal + ARM          │
│ • Immediate access          │  │ • Works on Linux/Mac/Win    │  │ • Visual policy assignment  │
│ • No setup required         │  │ • Consistent commands       │  │ • Template-based standards  │
│ • Full CLI/PS capabilities  │  │ • JSON output for parsing   │  │ • Automated compliance      │
│ • Direct resource access    │  │ • Shell scripting friendly │  │ • Audit and reporting       │
└─────────────────────────────┘  └─────────────────────────────┘  └─────────────────────────────┘

⚡ QUICK REFERENCE COMMANDS:
════════════════════════════

Portal Navigation:               CLI Commands:                    PowerShell Cmdlets:
• All services → Resource type  • az group create --name myRG    • New-AzResourceGroup -Name myRG
• Resource groups → Select       • az vm create --resource-group • New-AzVM -ResourceGroupName
• Monitor → Activity log         • az storage account list       • Get-AzStorageAccount
• Cost Management + Billing     • az policy assignment list     • Get-AzPolicyAssignment

ARM Template Deployment:
• az deployment group create --resource-group myRG --template-file template.json
• New-AzResourceGroupDeployment -ResourceGroupName myRG -TemplateFile template.json

🏆 BEST PRACTICES:
════════════════

🔐 Security:                    📊 Monitoring:                  🎯 Efficiency:
• Use managed identities       • Enable diagnostic logs        • Use resource groups wisely
• Implement RBAC properly      • Set up alerts and budgets     • Tag resources consistently
• Regular access reviews       • Monitor resource health       • Automate repetitive tasks
• Key rotation policies        • Track configuration changes   • Use templates for standards

Study this concept interactively in the AZ-104 app →

Azure Import/Export Service

Explanation

Azure Import/Export Service transfers large amounts of data to and from Azure by shipping physical disk drives to Microsoft datacenters. It's designed for scenarios where network transfer would be impractical due to bandwidth limitations or costs.

Examples

Initial data migration to Azure, disaster recovery scenarios, transferring large datasets for analytics, moving archive data to Azure, migrating from on-premises tape systems.

Enterprise Use Case

Organizations use Import/Export Service for large data migrations (>40TB), when bandwidth is limited or expensive, for one-time bulk transfers, and when network transfer would take weeks or months.

Diagram

Import/Export Service Workflow:

┌─────────────────────────────────────────────────────────────────┐
│                   📦 IMPORT/EXPORT PROCESS                     │
└─────────────────────────────────────────────────────────────────┘

    IMPORT Process (Upload to Azure):
    ════════════════════════════════
    
    1️⃣ Prepare           2️⃣ Ship              3️⃣ Process
    ┌─────────────┐      ┌─────────────┐      ┌─────────────────┐
    │💾 Local Data│      │📮 Ship Disk │      │🏢 Microsoft DC  │
    │             │──────│             │──────│                 │
    │🔧 WAImport  │      │📦 Packaging │      │🔄 Data Transfer │
    │   Tool      │      │             │      │                 │
    └─────────────┘      └─────────────┘      └─────────────────┘
            │                     │                     │
            ▼                     ▼                     ▼
    [Format Drives]       [Secure Shipping]    [Upload to Storage]
    [Copy Data]           [Tracking Number]    [Return Empty Drives]
    [Generate Journal]    [Insurance]          [Email Completion]

    EXPORT Process (Download from Azure):
    ════════════════════════════════════
    
    1️⃣ Request           2️⃣ Microsoft        3️⃣ Receive
    ┌─────────────┐      ┌─────────────┐      ┌─────────────────┐
    │📝 Export Job│      │💾 Load Data │      │📦 Receive Disk  │
    │             │──────│             │──────│                 │
    │🎯 Specify   │      │🔐 Encrypt   │      │🔐 Unlock Data   │
    │   Data      │      │             │      │                 │
    └─────────────┘      └─────────────┘      └─────────────────┘

Supported Drive Types:
────────────────────
✅ 2.5" or 3.5" SATA II/III HDDs
✅ 2.5" SATA II/III SSDs  
✅ Up to 10TB per drive
❌ USB drives not supported
❌ External drives not supported

Cost Considerations:
─────────────────
💰 $2-3 per drive + shipping
💰 Data transfer charges apply
💰 Storage charges after import
⏱️  Faster than internet for >40TB datasets

Study this concept interactively in the AZ-104 app →

Standard vs Premium Storage Accounts

Explanation

Standard storage uses magnetic hard drives (HDDs) for cost-effective general-purpose storage, while Premium storage uses solid-state drives (SSDs) for high-performance applications requiring low latency and high IOPS.

Examples

Standard for backup files, archives, and general data storage. Premium for high-performance databases, virtual machine disks, real-time analytics, and latency-sensitive applications.

Enterprise Use Case

Organizations use Standard storage for cost optimization with general workloads, and Premium storage for mission-critical applications requiring consistent high performance and low latency.

Diagram

Standard vs Premium Storage Comparison:

┌─────────────────────────────────────────────────────────────────┐
│                 💾 STORAGE PERFORMANCE TIERS                   │
└─────────────────────────────────────────────────────────────────┘

    Standard Storage (HDD-based)     Premium Storage (SSD-based)
    ┌─────────────────────────┐      ┌─────────────────────────┐
    │    💰 Cost Optimized    │      │   ⚡ Performance Focused │
    │                         │      │                         │
    │ 🏗️  Infrastructure:     │      │ 🏗️  Infrastructure:     │
    │    📀 Magnetic HDDs     │      │    💿 Solid State Drives│
    │    🔄 Standard Network  │      │    🚀 Premium Network   │
    │                         │      │                         │
    │ 📊 Performance Specs:   │      │ 📊 Performance Specs:   │
    │    📈 Up to 500 IOPS    │      │    📈 Up to 80,000 IOPS │
    │    ⏱️  Variable Latency │      │    ⏱️  <1ms Latency     │
    │    📶 60 MB/s Throughput│      │    📶 Up to 900 MB/s    │
    │                         │      │                         │
    │ 💵 Cost Structure:      │      │ 💵 Cost Structure:      │
    │    💲 Low storage cost  │      │    💲💲 Higher cost      │
    │    🔄 Pay per operation │      │    📦 Premium pricing   │
    │                         │      │                         │
    │ 🎯 Use Cases:           │      │ 🎯 Use Cases:           │
    │    📁 File storage      │      │    🗄️  Databases        │
    │    💾 Backups/Archives  │      │    🖥️  VM OS disks      │
    │    📈 Dev/Test envs     │      │    📊 Real-time analytics│
    │    🌐 Static websites   │      │    🎮 Gaming applications│
    └─────────────────────────┘      └─────────────────────────┘

Storage Account Types:
────────────────────
Standard:
📦 Standard_LRS - Locally Redundant (cheapest)
📦 Standard_GRS - Geo-Redundant  
📦 Standard_ZRS - Zone-Redundant
📦 Standard_RAGRS - Read-Access Geo-Redundant

Premium:
📦 Premium_LRS - Premium Locally Redundant
📦 Premium_ZRS - Premium Zone-Redundant
❌ No Premium GRS (geo-redundancy not available)

CLI Creation Examples:
────────────────────
# Standard Storage Account
az storage account create \
  --name mystandardstorage \
  --resource-group myRG \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

# Premium Storage Account  
az storage account create \
  --name mypremiumstorage \
  --resource-group myRG \
  --location eastus \
  --sku Premium_LRS \
  --kind StorageV2

Study this concept interactively in the AZ-104 app →

Storage Redundancy Types (LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS)

Explanation

Azure Storage redundancy protects data against hardware failures, datacenter outages, and natural disasters. Different redundancy options provide varying levels of durability, availability, and cost, from local replication to geo-distributed copies.

Examples

LRS for cost-sensitive dev environments, ZRS for high availability within region, GRS for disaster recovery, RA-GRS for read access during outages, GZRS for highest availability.

Enterprise Use Case

Organizations choose redundancy based on RTO/RPO requirements, compliance needs, budget constraints, and criticality of data. Mission-critical data uses GZRS, archives use LRS.

Diagram

Storage Redundancy Architecture Comparison:

┌─────────────────────────────────────────────────────────────────┐
│              🔄 AZURE STORAGE REDUNDANCY OPTIONS               │
└─────────────────────────────────────────────────────────────────┘

1️⃣  LOCAL REDUNDANT STORAGE (LRS) - 99.999999999% (11 9's) durability
    ┌─────────────────────────┐
    │    🏢 Single Region     │
    │   ┌─────────────────┐   │
    │   │  🏢 Datacenter  │   │
    │   │  💾 Copy 1      │   │
    │   │  💾 Copy 2      │   │
    │   │  💾 Copy 3      │   │
    │   └─────────────────┘   │
    └─────────────────────────┘
    Cost: 💰 Lowest  |  Protection: Datacenter failure ❌

2️⃣  ZONE REDUNDANT STORAGE (ZRS) - 99.9999999999% (12 9's) durability  
    ┌─────────────────────────┐
    │    🏢 Single Region     │
    │  ┌──────┐ ┌──────┐ ┌───│──┐
    │  │Zone 1│ │Zone 2│ │Zone 3│
    │  │💾Copy│ │💾Copy│ │💾Copy│
    │  │  1   │ │  2   │ │  3  │
    │  └──────┘ └──────┘ └──────┘
    └─────────────────────────┘
    Cost: 💰💰 Medium  |  Protection: Zone failure ✅

3️⃣  GEO REDUNDANT STORAGE (GRS) - 99.99999999999999% (16 9's) durability
    ┌─────────────────────────┐     ┌─────────────────────────┐
    │   🏢 Primary Region     │────▶│  🏢 Secondary Region    │
    │   ┌─────────────────┐   │     │   ┌─────────────────┐   │
    │   │  🏢 Datacenter  │   │     │   │  🏢 Datacenter  │   │
    │   │  💾 Copy 1      │   │     │   │  💾 Copy 4      │   │
    │   │  💾 Copy 2      │   │     │   │  💾 Copy 5      │   │
    │   │  💾 Copy 3      │   │     │   │  💾 Copy 6      │   │
    │   └─────────────────┘   │     │   └─────────────────┘   │
    └─────────────────────────┘     └─────────────────────────┘
    Cost: 💰💰💰 Higher  |  Protection: Regional disaster ✅

4️⃣  READ ACCESS GEO REDUNDANT (RA-GRS) - Same as GRS + Read Access
    [Same architecture as GRS but with read access to secondary region]
    
5️⃣  GEO ZONE REDUNDANT STORAGE (GZRS) - Ultimate protection
    ┌─────────────────────────┐     ┌─────────────────────────┐
    │   🏢 Primary Region     │────▶│  🏢 Secondary Region    │
    │  ┌──────┐ ┌──────┐ ┌───│──┐ │   ┌─────────────────┐   │
    │  │Zone 1│ │Zone 2│ │Zone 3│ │   │  🏢 Datacenter  │   │
    │  │💾Copy│ │💾Copy│ │💾Copy│ │   │  💾 Copy 7      │   │
    │  │  1   │ │  2   │ │  3  │ │   │  💾 Copy 8      │   │
    │  └──────┘ └──────┘ └──────┘ │   │  💾 Copy 9      │   │
    └─────────────────────────────┘ │   └─────────────────┘   │
                                    └─────────────────────────┘
    Cost: 💰💰💰💰 Highest  |  Protection: Zone + Region ✅

6️⃣  READ ACCESS GZRS (RA-GZRS) - GZRS + Read Access to Secondary

Redundancy Selection Guide:
─────────────────────────
💡 Development/Testing → LRS (lowest cost)
🏢 Production (single region) → ZRS (zone protection)  
🌍 Mission Critical → GZRS/RA-GZRS (ultimate protection)
📄 Compliance/Archive → GRS (regional backup)
📊 Analytics (read-heavy) → RA-GRS/RA-GZRS (read access)

Study this concept interactively in the AZ-104 app →

Create Blob Containers (Azure Portal)

Explanation

Azure Portal provides a user-friendly web interface for creating and managing blob containers. The portal offers guided wizards, visual management, and easy access control configuration for blob storage containers.

Examples

Creating containers for website assets, organizing data by project or department, setting up public containers for static content, configuring private containers for sensitive data.

Enterprise Use Case

Portal is preferred for initial setup, one-time configurations, visual management of permissions, and users who prefer GUI over command-line tools.

Diagram

Portal Container Creation Workflow:

┌─────────────────────────────────────────────────────────────────┐
│               🖥️  AZURE PORTAL CONTAINER CREATION              │
└─────────────────────────────────────────────────────────────────┘

Step-by-Step Portal Process:
═══════════════════════════

1️⃣  Navigate to Storage Account
    ┌─────────────────────────┐
    │  🏠 Azure Portal Home   │
    │  ├─ 🔍 Search Resources │
    │  ├─ 📦 Storage Accounts │
    │  └─ 📋 Select Account   │
    └─────────────────────────┘
            │
            ▼
2️⃣  Access Container Management
    ┌─────────────────────────┐
    │  📦 Storage Account     │
    │  ├─ 📊 Overview         │
    │  ├─ 📁 Containers ◄──── │
    │  ├─ 🔑 Access Keys      │
    │  └─ ⚙️  Configuration   │
    └─────────────────────────┘
            │
            ▼
3️⃣  Create New Container
    ┌─────────────────────────┐
    │  📁 Containers Blade    │
    │  ┌─────────────────┐   │
    │  │ ➕ + Container  │   │
    │  └─────────────────┘   │
    │  ├─ 📋 Existing List   │
    │  └─ 🔄 Refresh         │
    └─────────────────────────┘
            │
            ▼
4️⃣  Configure Container Settings
    ┌─────────────────────────┐
    │  ⚙️  Container Settings │
    │                         │
    │  📝 Name: [mycontainer] │
    │                         │
    │  🔐 Public Access:      │
    │  ○ Private (default)    │
    │  ○ Blob (anonymous read)│
    │  ○ Container (list+read)│
    │                         │
    │  🏷️  Advanced Options:  │
    │  └─ 🏗️  Encryption Scope│
    │                         │
    │  [✅ Create Container]  │
    └─────────────────────────┘

Container Access Levels:
──────────────────────
🔒 Private (No anonymous access)
   - Default and most secure
   - Requires authentication for all access
   
🔓 Blob (Anonymous read access for blobs only)  
   - Individual blobs can be accessed publicly
   - Container contents cannot be listed
   
🌐 Container (Anonymous read access for container and blobs)
   - Full public read access
   - Anyone can list and download all blobs

Portal Benefits:
──────────────
✅ Visual interface with guided forms
✅ Real-time validation of settings
✅ Easy access control configuration
✅ Integrated with Azure RBAC
✅ No command-line knowledge required
✅ Immediate visual feedback

Navigation Path:
──────────────
Azure Portal → Storage Accounts → [Account] → Containers → + Container

Study this concept interactively in the AZ-104 app →

Create Blob Containers (Azure CLI)

Explanation

Azure CLI provides command-line access to create and manage blob containers programmatically. CLI offers scripting capabilities, automation integration, and precise control over container configuration.

Examples

Automating container creation in deployment scripts, batch creating multiple containers, integrating with CI/CD pipelines, programmatic access management.

Enterprise Use Case

DevOps teams use CLI for automation, developers prefer it for scripting, system administrators integrate it with infrastructure-as-code workflows.

Diagram

CLI Container Creation Commands & Options:

┌─────────────────────────────────────────────────────────────────┐
│                 💻 AZURE CLI CONTAINER OPERATIONS              │
└─────────────────────────────────────────────────────────────────┘

Authentication Setup:
═══════════════════
# Login to Azure
az login

# Set default subscription  
az account set --subscription "Your Subscription Name"

# Set default storage account (optional)
az configure --defaults storage-account=mystorageaccount

Basic Container Creation:
═══════════════════════
# Simple container creation
az storage container create \
  --name mycontainer \
  --account-name mystorageaccount \
  --auth-mode key

# With connection string
az storage container create \
  --name mycontainer \
  --connection-string "DefaultEndpoints..."

# Using account key
az storage container create \
  --name mycontainer \
  --account-name mystorageaccount \
  --account-key "YourStorageKey=="

Advanced Container Configuration:
═══════════════════════════════
# Container with public access
az storage container create \
  --name publiccontainer \
  --account-name mystorageaccount \
  --public-access blob \
  --auth-mode key

# Multiple containers with loop
for container in web-assets data-backup user-uploads; do
  az storage container create \
    --name $container \
    --account-name mystorageaccount \
    --auth-mode key
done

Container Management Commands:
════════════════════════════
# List all containers
az storage container list \
  --account-name mystorageaccount \
  --auth-mode key

# Show container properties  
az storage container show \
  --name mycontainer \
  --account-name mystorageaccount \
  --auth-mode key

# Delete container
az storage container delete \
  --name mycontainer \
  --account-name mystorageaccount \
  --auth-mode key

# Generate SAS token for container
az storage container generate-sas \
  --name mycontainer \
  --account-name mystorageaccount \
  --permissions rwdl \
  --expiry 2024-12-31 \
  --auth-mode key

Public Access Levels:
───────────────────
--public-access off      # Private (default)
--public-access blob     # Anonymous read for blobs
--public-access container # Anonymous read for container/blobs

Authentication Methods:
─────────────────────
--auth-mode login        # Azure AD authentication
--auth-mode key          # Storage account key
--connection-string      # Full connection string
--account-key           # Explicit account key

CLI Benefits:
───────────
🚀 Fast command execution
📜 Perfect for scripting and automation
🔄 Easy to integrate with DevOps pipelines  
⚡ Batch operations support
🎯 Precise parameter control
📊 JSON output for processing

Study this concept interactively in the AZ-104 app →

Create Blob Containers (PowerShell)

Explanation

Azure PowerShell provides object-oriented container management through cmdlets. PowerShell offers rich object manipulation, pipeline processing, and integration with Windows environments for blob container operations.

Examples

PowerShell scripts for container lifecycle management, integration with Windows automation, object-based container properties manipulation, bulk operations with pipeline processing.

Enterprise Use Case

Windows administrators prefer PowerShell for automation, enterprises with PowerShell-based infrastructure use it for consistency, developers creating Windows-integrated solutions.

Diagram

PowerShell Container Management & Cmdlets:

┌─────────────────────────────────────────────────────────────────┐
│              🟦 AZURE POWERSHELL CONTAINER OPERATIONS          │
└─────────────────────────────────────────────────────────────────┘

Module Installation & Setup:
═══════════════════════════
# Install Azure PowerShell module
Install-Module -Name Az -Force -AllowClobber

# Import required modules
Import-Module Az.Storage
Import-Module Az.Accounts

# Connect to Azure
Connect-AzAccount

# Set context to subscription
Set-AzContext -SubscriptionName "Your Subscription"

Basic Container Creation:
═══════════════════════
# Get storage account context
$storageAccount = Get-AzStorageAccount \
  -ResourceGroupName "myResourceGroup" \
  -Name "mystorageaccount"

$ctx = $storageAccount.Context

# Create simple container
New-AzStorageContainer \
  -Name "mycontainer" \
  -Context $ctx

# Create container with public access
New-AzStorageContainer \
  -Name "publiccontainer" \
  -Context $ctx \
  -Permission Blob

Advanced Container Operations:
════════════════════════════
# Create multiple containers
$containers = @("web-assets", "data-backup", "user-uploads")
$containers | ForEach-Object {
    New-AzStorageContainer -Name $_ -Context $ctx
}

# Create container with metadata
$metadata = @{
    "Project" = "WebApp"
    "Environment" = "Production"  
    "Owner" = "DevTeam"
}

New-AzStorageContainer \
  -Name "webapp-container" \
  -Context $ctx \
  -Metadata $metadata

Container Management Cmdlets:
═══════════════════════════
# List all containers
Get-AzStorageContainer -Context $ctx

# Get specific container
Get-AzStorageContainer -Name "mycontainer" -Context $ctx

# Get container properties
$container = Get-AzStorageContainer -Name "mycontainer" -Context $ctx
$container.CloudBlobContainer.Properties

# Set container ACL/permissions
Set-AzStorageContainerAcl \
  -Name "mycontainer" \
  -Context $ctx \
  -Permission Blob

# Remove container
Remove-AzStorageContainer \
  -Name "mycontainer" \
  -Context $ctx \
  -Force

Pipeline Processing Examples:
═══════════════════════════
# Get containers and filter
Get-AzStorageContainer -Context $ctx | 
  Where-Object { $_.Name -like "*prod*" } |
  Select-Object Name, LastModified

# Bulk operations
Get-AzStorageContainer -Context $ctx |
  Where-Object { $_.Name -like "*temp*" } |
  Remove-AzStorageContainer -Force

# Export container info
Get-AzStorageContainer -Context $ctx |
  Select-Object Name, LastModified, PublicAccess |
  Export-Csv -Path "containers.csv" -NoTypeInformation

Container Permission Levels:
──────────────────────────
-Permission Off          # Private (default)
-Permission Blob         # Anonymous blob access
-Permission Container    # Anonymous container access

PowerShell Benefits:
─────────────────
🔷 Object-oriented approach
🔄 Rich pipeline processing capabilities
🪟 Native Windows integration
📊 Advanced filtering and manipulation
🎯 Strongly typed objects
⚡ Efficient bulk operations
📜 Excellent for complex automation scripts

Study this concept interactively in the AZ-104 app →

Storage Access Policies

Explanation

Storage access policies define permissions and access rules for blob containers and queues, separate from stored access policies. They control who can access storage resources, what operations they can perform, and under what conditions.

Examples

Setting container-level read permissions, configuring write access for specific applications, implementing time-based access restrictions, managing anonymous public access levels.

Enterprise Use Case

Organizations use access policies to implement fine-grained security controls, comply with data governance requirements, manage application access rights, and control public vs private data exposure.

Diagram

Storage Access Policy Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                🔐 STORAGE ACCESS POLICY STRUCTURE              │
└─────────────────────────────────────────────────────────────────┘

Container Access Levels:
══════════════════════

🔒 PRIVATE ACCESS (Default)
    ┌─────────────────────────┐
    │   📦 Private Container  │
    │                         │
    │   Access Requirements:  │
    │   ✅ Storage Account Key │
    │   ✅ SAS Token          │
    │   ✅ Azure AD Auth      │
    │                         │
    │   ❌ Anonymous Access   │
    │   ❌ Public URLs        │
    └─────────────────────────┘

🔓 BLOB LEVEL ACCESS  
    ┌─────────────────────────┐
    │   📦 Blob-Public        │
    │                         │
    │   ✅ Direct blob URLs   │
    │   ✅ Anonymous read     │
    │   ❌ Container listing  │
    │                         │
    │   Example:              │
    │   https://account.blob. │
    │   core.windows.net/     │
    │   container/file.jpg    │
    └─────────────────────────┘

🌐 CONTAINER LEVEL ACCESS
    ┌─────────────────────────┐  
    │   📦 Container-Public   │
    │                         │
    │   ✅ Anonymous read     │
    │   ✅ Container listing  │
    │   ✅ Enumerate blobs    │
    │                         │
    │   API Access:          │
    │   GET /container?comp=  │
    │   list (public)         │
    └─────────────────────────┘

Configuration Methods:
════════════════════

Portal Configuration:
───────────────────
Container → Settings → Access Policy → Public Access Level
└─ Private/Blob/Container

CLI Configuration:  
─────────────────
# Set blob-level public access
az storage container set-permission \
  --name mycontainer \
  --public-access blob \
  --account-name mystorageaccount

# Set container-level public access  
az storage container set-permission \
  --name mycontainer \
  --public-access container \
  --account-name mystorageaccount

PowerShell Configuration:
───────────────────────
# Set access policy
Set-AzStorageContainerAcl \
  -Name "mycontainer" \
  -Permission Blob \
  -Context $storageContext

Access Policy vs Stored Access Policy:
════════════════════════════════════

📋 Access Policies (This Concept):
   └─ Container-level permissions
   └─ Public/Private access control
   └─ Anonymous access configuration
   
📑 Stored Access Policies (Different Concept):
   └─ Named policy templates for SAS
   └─ Centralized SAS management
   └─ Revokable SAS token control

Security Best Practices:
══════════════════════
🔐 Use private access by default
🎯 Only enable public access when required
📊 Monitor public container usage
🚨 Regular access policy audits
⏰ Implement time-based restrictions
🔄 Review and update policies regularly

Study this concept interactively in the AZ-104 app →

Storage Performance Tiers

Explanation

Azure Storage offers different performance tiers optimized for various workload requirements. Performance tiers determine IOPS, throughput, and latency characteristics, allowing optimization for cost, speed, or balanced performance.

Examples

Hot tier for frequently accessed web content, Cool tier for backup data accessed monthly, Archive tier for long-term compliance data, Premium tier for high-performance databases.

Enterprise Use Case

Organizations use performance tiers to optimize costs by matching storage performance to access patterns, ensuring applications get required performance while minimizing expenses for infrequently accessed data.

Diagram

Storage Performance Tiers Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                🌡️  STORAGE PERFORMANCE TIERS                   │
└─────────────────────────────────────────────────────────────────┘

Performance & Cost Spectrum:
═══════════════════════════

🔥 HOT TIER (Frequent Access)
    ┌─────────────────────────┐
    │   📊 Characteristics:   │
    │   ⚡ Lowest latency     │
    │   📈 Highest throughput │
    │   💰 Higher storage cost│
    │   💸 Lower access cost  │
    │                         │
    │   🎯 Use Cases:         │
    │   🌐 Website content    │
    │   📱 Mobile app data    │
    │   🗄️  Active databases  │
    │   📊 Analytics data     │
    │                         │
    │   💵 Cost Model:        │
    │   Storage: $0.0184/GB   │
    │   Read: $0.0004/10K ops│
    │   Write: $0.05/10K ops │
    └─────────────────────────┘

❄️ COOL TIER (Infrequent Access)  
    ┌─────────────────────────┐
    │   📊 Characteristics:   │
    │   ⏱️  Higher latency    │
    │   📉 Lower throughput   │
    │   💰 Lower storage cost │
    │   💸 Higher access cost │
    │                         │
    │   🎯 Use Cases:         │
    │   💾 Backup data        │
    │   📄 Document archives  │
    │   🔄 DR copies          │
    │   📊 Monthly reports    │
    │                         │
    │   ⏱️  Minimum Duration:  │
    │   📅 30 days minimum    │
    │                         │
    │   💵 Cost Model:        │
    │   Storage: $0.01/GB     │  
    │   Read: $0.01/10K ops  │
    │   Write: $0.10/10K ops │
    └─────────────────────────┘

🧊 ARCHIVE TIER (Rare Access)
    ┌─────────────────────────┐
    │   📊 Characteristics:   │
    │   ⏳ Hours to rehydrate │
    │   📉 Offline storage    │
    │   💰 Lowest storage cost│
    │   💸 Highest access cost│
    │                         │
    │   🎯 Use Cases:         │
    │   📜 Compliance data    │
    │   🗂️  Long-term backups │
    │   📊 Historical logs    │
    │   🔐 Regulatory archives│
    │                         │
    │   ⏱️  Minimum Duration:  │
    │   📅 180 days minimum   │
    │                         │
    │   🔄 Rehydration Time:  │
    │   Standard: 15 hours    │
    │   High Priority: 1 hour │
    │                         │
    │   💵 Cost Model:        │
    │   Storage: $0.00099/GB │
    │   Rehydrate: $0.10/GB  │
    └─────────────────────────┘

⚡ PREMIUM TIER (High Performance)
    ┌─────────────────────────┐
    │   📊 Characteristics:   │
    │   🚀 Ultra-low latency  │
    │   📈 Maximum throughput │
    │   💾 SSD-based storage  │
    │   💰💰 Premium pricing  │
    │                         │
    │   🎯 Use Cases:         │
    │   🗄️  High-perf databases│
    │   🎮 Gaming applications│
    │   📊 Real-time analytics│
    │   🖥️  VM premium disks  │
    │                         │
    │   📈 Performance:       │
    │   IOPS: Up to 80,000    │
    │   Throughput: 900 MB/s  │
    │   Latency: <1ms         │
    └─────────────────────────┘

Tier Management:
══════════════

Automatic Tier Management:
─────────────────────────
# Lifecycle management policy
{
  "rules": [{
    "name": "MoveToArchive",
    "type": "Lifecycle",
    "definition": {
      "filters": {
        "blobTypes": ["blockBlob"]
      },
      "actions": {
        "baseBlob": {
          "tierToCool": {
            "daysAfterModificationGreaterThan": 30
          },
          "tierToArchive": {
            "daysAfterModificationGreaterThan": 90
          }
        }
      }
    }
  }]
}

CLI Tier Operations:
──────────────────
# Set blob tier
az storage blob set-tier \
  --account-name mystorageaccount \
  --container-name mycontainer \
  --name myblob.pdf \
  --tier Cool

# Rehydrate from Archive
az storage blob set-tier \
  --account-name mystorageaccount \
  --container-name mycontainer \
  --name archived-file.zip \
  --tier Hot \
  --rehydrate-priority Standard

Study this concept interactively in the AZ-104 app →

Configure Soft Delete for Azure Files

Explanation

Azure Files soft delete protects file shares and individual files from accidental deletion by retaining deleted data for a specified period. Soft-deleted files can be restored within the retention period before permanent deletion.

Examples

Recovering accidentally deleted project files, restoring file shares deleted by mistake, retrieving files removed by automated scripts, protecting against ransomware attacks.

Enterprise Use Case

Organizations enable soft delete for data protection, compliance requirements, accidental deletion recovery, and as part of comprehensive backup strategies for file shares.

Diagram

Azure Files Soft Delete Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                 🗂️  AZURE FILES SOFT DELETE                    │
└─────────────────────────────────────────────────────────────────┘

Soft Delete Lifecycle:
════════════════════

1️⃣  Active File Share
    ┌─────────────────────────┐
    │   📁 File Share Active  │
    │   ├─ 📄 document1.docx  │
    │   ├─ 📄 spreadsheet.xlsx│
    │   ├─ 📁 project-folder/ │
    │   │   ├─ 📄 code.js     │
    │   │   └─ 📄 readme.md   │
    │   └─ 📸 image.png       │
    │                         │
    │   Status: ✅ Available  │
    └─────────────────────────┘
            │ (Delete Operation)
            ▼
2️⃣  Soft Deleted State
    ┌─────────────────────────┐
    │ 🗑️  File Share Deleted  │
    │   ├─ 📄 document1.docx  │
    │   ├─ 📄 spreadsheet.xlsx│
    │   ├─ 📁 project-folder/ │
    │   │   ├─ 📄 code.js     │
    │   │   └─ 📄 readme.md   │
    │   └─ 📸 image.png       │
    │                         │
    │   Status: ⏳ Soft Delete│
    │   Retention: 7-365 days │
    └─────────────────────────┘
            │                   │
         (Restore)         (Retention Expires)
            ▼                   ▼
    ┌─────────────────────────┐ ┌─────────────────────────┐
    │ ✅ Share Restored       │ │ ❌ Permanently Deleted  │
    │   (All data intact)     │ │   (Data unrecoverable)  │
    └─────────────────────────┘ └─────────────────────────┘

Configuration Methods:
════════════════════

Azure Portal Configuration:
─────────────────────────
Storage Account → File Shares → Settings → Soft Delete
├─ ✅ Enable Soft Delete
├─ ⏱️  Retention Period: [7-365] days
└─ 💾 Save Configuration

CLI Configuration:
─────────────────
# Enable soft delete for file shares
az storage account file-service-properties update \
  --resource-group myResourceGroup \
  --account-name mystorageaccount \
  --enable-delete-retention true \
  --delete-retention-days 30

# Disable soft delete
az storage account file-service-properties update \
  --resource-group myResourceGroup \
  --account-name mystorageaccount \
  --enable-delete-retention false

PowerShell Configuration:
───────────────────────
# Enable soft delete
$ctx = (Get-AzStorageAccount -ResourceGroupName "myRG" -Name "mystorage").Context
Enable-AzStorageDeleteRetentionPolicy \
  -Context $ctx \
  -RetentionDays 30 \
  -ResourceType File

Recovery Operations:
══════════════════

Portal Recovery:
──────────────
File Shares → [Deleted Shares] → Select Share → Restore

CLI Recovery:
────────────
# List soft-deleted shares
az storage share-rm list \
  --resource-group myResourceGroup \
  --storage-account mystorageaccount \
  --include-deleted

# Restore soft-deleted share  
az storage share-rm restore \
  --resource-group myResourceGroup \
  --storage-account mystorageaccount \
  --name "deleted-share-name" \
  --deleted-version "version-id"

PowerShell Recovery:
──────────────────
# List deleted shares
Get-AzRmStorageShare \
  -ResourceGroupName "myRG" \
  -StorageAccountName "mystorage" \
  -IncludeDeleted

# Restore deleted share
Restore-AzRmStorageShare \
  -ResourceGroupName "myRG" \
  -StorageAccountName "mystorage" \
  -Name "deleted-share" \
  -DeletedShareVersion "version"

Protection Benefits:
─────────────────
🛡️  Accidental deletion protection
⏰ Configurable retention period (7-365 days)
🔄 Complete share restoration
📊 Maintains all file permissions and metadata
💰 Pay only for storage during retention
🚫 No additional recovery time (instant restore)

Best Practices:
═════════════
✅ Enable on all production file shares
⏱️  Set retention based on business needs
📋 Document retention policies
🔔 Monitor deleted shares regularly  
🔄 Test restore procedures
📊 Include in disaster recovery plans

Study this concept interactively in the AZ-104 app →

Storage Authorization Overview

Explanation

Azure Storage authorization provides multiple authentication and authorization mechanisms to control access to storage resources. It includes Azure AD-based identity authentication, Shared Access Signatures for granular permissions, and account keys for full access control.

Examples

Using Azure AD for user-based access control, generating SAS tokens for temporary access, managing storage account keys for administrative tasks, implementing role-based access control for enterprise scenarios.

Enterprise Use Case

Organizations use comprehensive authorization to implement zero-trust security models, provide granular access control for different user roles, ensure compliance with security policies, and maintain audit trails for data access.

Diagram

Storage Authorization Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                🔐 AZURE STORAGE AUTHORIZATION                  │
└─────────────────────────────────────────────────────────────────┘

Authorization Methods:
════════════════════

1️⃣  AZURE AD AUTHENTICATION (Identity-Based)
    ┌─────────────────────────┐
    │   👤 User/Application   │
    │   ├─ 🆔 Identity Token  │
    │   ├─ 🎫 OAuth 2.0       │
    │   └─ 🔑 RBAC Roles      │
    └─────────────────────────┘
            │
            ▼
    ┌─────────────────────────┐
    │  📦 Storage Account     │
    │  ├─ 🔍 Token Validation │
    │  ├─ ✅ Role Check       │
    │  └─ 🚪 Access Granted   │
    └─────────────────────────┘

2️⃣  SHARED ACCESS SIGNATURES (Permission-Based)
    ┌─────────────────────────┐
    │    🎟️  SAS Token        │
    │   ├─ ⏰ Time Bounds     │
    │   ├─ 🎯 Resource Scope  │
    │   ├─ 🔧 Permissions     │
    │   └─ 🔒 Signature       │
    └─────────────────────────┘
            │
            ▼
    ┌─────────────────────────┐
    │  📦 Storage Resource    │
    │  ├─ ✅ Token Valid      │
    │  ├─ ⏰ Not Expired      │
    │  └─ 🚪 Access Allowed   │
    └─────────────────────────┘

3️⃣  ACCOUNT KEYS (Full Access)
    ┌─────────────────────────┐
    │    🔑 Primary Key       │
    │    🔑 Secondary Key     │
    │                         │
    │   Master Access to:     │
    │   ├─ 📦 All Containers  │
    │   ├─ 📁 All File Shares │
    │   ├─ 📊 All Tables      │
    │   └─ 🔄 All Operations  │
    └─────────────────────────┘

Authorization Decision Flow:
═══════════════════════════

Request → Authentication Check → Authorization Check → Access Grant/Deny

Best Practices:
═════════════
🔐 Use Azure AD for user access (most secure)
🎟️  Use SAS for temporary/limited access
🔑 Restrict account key usage to admin tasks only
🔄 Rotate keys and tokens regularly
📊 Monitor access patterns and logs

Study this concept interactively in the AZ-104 app →

Azure AD Storage Authentication

Explanation

Azure AD authentication for Azure Storage provides identity-based access control using Azure Active Directory credentials. It supports OAuth 2.0 tokens, role-based access control (RBAC), and seamless integration with organizational identity management systems.

Examples

Users logging in with corporate credentials to access blob storage, service principals accessing storage from applications, managed identities for Azure VMs accessing storage without keys, conditional access policies controlling storage access.

Enterprise Use Case

Enterprises use Azure AD authentication to eliminate shared keys, implement zero-trust security models, provide seamless single sign-on experience, integrate with existing identity governance, and maintain detailed audit trails.

Diagram

Azure AD Storage Authentication Flow:

┌─────────────────────────────────────────────────────────────────┐
│               🆔 AZURE AD STORAGE AUTHENTICATION                │
└─────────────────────────────────────────────────────────────────┘

Authentication Flow:
═══════════════════

1️⃣  Identity Request
    ┌─────────────────────────┐
    │   👤 User/Application   │
    │   ├─ 📧 user@company.com│
    │   ├─ 🔐 Credentials     │
    │   └─ 📱 MFA Challenge   │
    └─────────────────────────┘
            │
            ▼
2️⃣  Azure AD Validation
    ┌─────────────────────────┐
    │    🏢 Azure AD Tenant   │
    │   ├─ ✅ Identity Valid  │
    │   ├─ 🎫 Issue Token     │
    │   └─ ⏰ Token Expiry    │
    └─────────────────────────┘
            │
            ▼
3️⃣  Storage Access Request
    ┌─────────────────────────┐
    │  📦 Azure Storage       │
    │   ├─ 🔍 Token Check     │
    │   ├─ 🎭 Role Validation │
    │   └─ 🚪 Access Control  │
    └─────────────────────────┘

RBAC Roles for Storage:
══════════════════════

📖 Storage Blob Data Reader
   └─ Read access to blob containers and data

✏️  Storage Blob Data Contributor  
   └─ Read, write, delete access to blob containers and data

👑 Storage Blob Data Owner
   └─ Full access including ACL management

📁 Storage File Data SMB Share Reader
   └─ Read access to Azure File shares via SMB

✏️  Storage File Data SMB Share Contributor
   └─ Read, write, delete access to file shares via SMB

Configuration Examples:
═════════════════════

PowerShell RBAC Assignment:
─────────────────────────
# Assign Storage Blob Data Contributor role
New-AzRoleAssignment \
  -SignInName user@company.com \
  -RoleDefinitionName "Storage Blob Data Contributor" \
  -Scope "/subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

CLI RBAC Assignment:
──────────────────
# Assign role to user
az role assignment create \
  --assignee user@company.com \
  --role "Storage Blob Data Reader" \
  --scope "/subscriptions/$subscriptionId/resourceGroups/$rgName"

Application Registration:
───────────────────────
# Register app in Azure AD
az ad app create \
  --display-name "StorageAccessApp" \
  --available-to-other-tenants false

# Create service principal
az ad sp create --id $appId

# Grant storage permissions
az role assignment create \
  --assignee $servicePrincipalId \
  --role "Storage Blob Data Contributor" \
  --scope $storageAccountScope

Benefits:
════════
🔐 No shared keys required
🆔 Centralized identity management
📊 Detailed access logging
🎯 Fine-grained permissions
🔄 Automatic token rotation
⚡ Seamless SSO integration

Study this concept interactively in the AZ-104 app →

Shared Access Signatures (SAS) Authentication

Explanation

Shared Access Signatures (SAS) provide secure, granular, and time-limited access to Azure Storage resources without exposing account keys. SAS tokens contain permissions, time bounds, IP restrictions, and cryptographic signatures for secure delegation of access.

Examples

Granting temporary read access to a specific blob for external partners, allowing time-limited upload permissions to a container for batch processing, providing read-only access to file shares for reporting applications.

Enterprise Use Case

Organizations use SAS tokens to securely share data with external partners, provide temporary access for batch jobs, implement secure file upload/download scenarios, and delegate permissions without sharing account keys.

Diagram

SAS Token Architecture and Types:

┌─────────────────────────────────────────────────────────────────┐
│              🎟️  SHARED ACCESS SIGNATURES (SAS)                │
└─────────────────────────────────────────────────────────────────┘

SAS Token Components:
════════════════════

┌─────────────────────────────────────────┐
│           🎫 SAS TOKEN ANATOMY          │
├─────────────────────────────────────────┤
│ 📅 Start Time: 2024-01-01T00:00:00Z    │
│ ⏰ Expiry Time: 2024-01-02T00:00:00Z   │
│ 🎯 Resource: /blob/container/file.pdf   │
│ 🔧 Permissions: r (read only)          │
│ 🌐 IP Range: 203.0.113.0/24           │
│ 🔒 Signature: sr=c&sp=r&se=...        │
└─────────────────────────────────────────┘

SAS Types:
═════════

1️⃣  USER DELEGATION SAS (Most Secure)
    ┌─────────────────────────┐
    │  🆔 Azure AD Identity   │
    │  ├─ 👤 User Context     │
    │  ├─ 🎫 Delegation Key   │
    │  └─ 🔐 AD-Signed Token  │
    └─────────────────────────┘
    ✅ Most secure (Azure AD based)
    ✅ Auditable to specific users
    ✅ Follows Azure AD policies

2️⃣  SERVICE SAS (Resource-Specific)
    ┌─────────────────────────┐
    │  📦 Storage Resource    │
    │  ├─ 🎯 Specific Scope   │
    │  ├─ 🔑 Account Key Sign │
    │  └─ ⚡ Direct Access    │
    └─────────────────────────┘
    🎯 Access to specific resource
    ⚡ Fast and direct
    🔧 Fine-grained permissions

3️⃣  ACCOUNT SAS (Service-Level)
    ┌─────────────────────────┐
    │  🏢 Storage Account     │
    │  ├─ 📊 Multiple Services│
    │  ├─ 🔑 Account Key Sign │
    │  └─ 📝 Service Control  │
    └─────────────────────────┘
    📊 Access to multiple services
    🔧 Service-level operations
    👑 Account-level permissions

Permission Types:
═══════════════

Read (r):     📖 Download/view content
Write (w):    ✏️  Upload/modify content  
Delete (d):   🗑️  Remove content
List (l):     📋 List container contents
Add (a):      ➕ Append to blob
Create (c):   🆕 Create new resources
Update (u):   🔄 Update metadata
Process (p):  ⚡ Queue message processing

SAS Generation Examples:
══════════════════════

PowerShell (Service SAS):
────────────────────────
# Generate blob SAS token
$ctx = (Get-AzStorageAccount -ResourceGroupName "myRG" -Name "mystorage").Context
$sasToken = New-AzStorageBlobSASToken \
  -Container "documents" \
  -Blob "report.pdf" \
  -Permission r \
  -ExpiryTime (Get-Date).AddHours(24) \
  -FullUri \
  -Context $ctx

CLI (Container SAS):
──────────────────
# Generate container SAS
az storage container generate-sas \
  --name mycontainer \
  --permissions rwdl \
  --expiry 2024-12-31T23:59:00Z \
  --account-name mystorageaccount \
  --account-key $accountKey

User Delegation SAS (Most Secure):
─────────────────────────────────
# Get user delegation key
$delegationKey = Get-AzStorageAccountUserDelegationKey \
  -Context $ctx \
  -StartTime (Get-Date) \
  -ExpiryTime (Get-Date).AddDays(7)

# Generate user delegation SAS
$userSas = New-AzStorageBlobSASToken \
  -Container "secure-docs" \
  -Blob "confidential.pdf" \
  -Permission r \
  -ExpiryTime (Get-Date).AddHours(2) \
  -UserDelegationKey $delegationKey \
  -Context $ctx

Security Best Practices:
══════════════════════
🔐 Use User Delegation SAS when possible (most secure)
⏰ Set shortest practical expiration time
🎯 Apply principle of least privilege
🌐 Restrict IP addresses when feasible
🔄 Regenerate account keys periodically
📊 Monitor SAS usage and access patterns
🚫 Never embed SAS tokens in client-side code

Study this concept interactively in the AZ-104 app →

Storage Account Keys Authentication

Explanation

Storage account keys provide full administrative access to Azure Storage accounts. Each storage account has two 512-bit access keys that enable complete control over all storage services, containers, and data within the account.

Examples

Administrative scripts for backup operations, initial application configuration during deployment, bulk data migration tasks, service-to-service authentication in trusted environments.

Enterprise Use Case

Organizations use storage account keys for administrative automation, trusted system integration, initial application bootstrapping, and scenarios requiring full storage account access where Azure AD is not feasible.

Diagram

Storage Account Keys Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                🔑 STORAGE ACCOUNT KEYS AUTHENTICATION           │
└─────────────────────────────────────────────────────────────────┘

Key Management Architecture:
═══════════════════════════

🏢 STORAGE ACCOUNT
├─ 🔑 Primary Key (key1)
│  ├─ 512-bit secret
│  ├─ Full account access
│  └─ All services enabled
│
├─ 🔑 Secondary Key (key2)  
│  ├─ 512-bit secret
│  ├─ Full account access  
│  └─ Backup/rotation key
│
└─ 🔄 Key Rotation Strategy
   ├─ Zero-downtime rotation
   ├─ Blue-green deployment
   └─ Gradual migration

Access Scope with Keys:
═════════════════════

┌─────────────────────────────────────────┐
│        🔑 ACCOUNT KEY PERMISSIONS       │
├─────────────────────────────────────────┤
│ 📦 Blob Storage:                        │
│  ├─ ✅ All containers                   │
│  ├─ ✅ All blobs and metadata           │
│  └─ ✅ Container management             │
│                                         │
│ 📁 File Storage:                        │
│  ├─ ✅ All file shares                  │
│  ├─ ✅ All directories and files        │
│  └─ ✅ Share management                 │
│                                         │
│ 📊 Table Storage:                       │
│  ├─ ✅ All tables                       │
│  ├─ ✅ All entities                     │
│  └─ ✅ Table management                 │
│                                         │
│ 🔄 Queue Storage:                       │
│  ├─ ✅ All queues                       │
│  ├─ ✅ All messages                     │
│  └─ ✅ Queue management                 │
│                                         │
│ ⚙️  Account Management:                 │
│  ├─ ✅ Configuration changes            │
│  ├─ ✅ Access key management            │
│  └─ ✅ Service property updates         │
└─────────────────────────────────────────┘

Key Rotation Process:
═══════════════════

1️⃣  PREPARATION PHASE
    ┌─────────────────────────┐
    │   🔍 Inventory Apps     │
    │   ├─ Identify all apps  │
    │   ├─ Note key usage     │
    │   └─ Plan rotation      │
    └─────────────────────────┘

2️⃣  ROTATION PHASE
    ┌─────────────────────────┐
    │  🔄 Regenerate Key2     │
    │   ├─ Update apps to     │
    │   │   use new key2      │
    │   ├─ Test connectivity  │
    │   └─ Verify operations  │
    └─────────────────────────┘

3️⃣  COMPLETION PHASE
    ┌─────────────────────────┐
    │  🔄 Regenerate Key1     │
    │   ├─ Old key1 invalid   │
    │   ├─ All apps on key2   │
    │   └─ Rotation complete  │
    └─────────────────────────┘

Connection String Format:
═══════════════════════

Standard Connection String:
─────────────────────────
DefaultEndpointsProtocol=https;
AccountName=mystorageaccount;
AccountKey=base64encodedkey==;
EndpointSuffix=core.windows.net

With Custom Endpoint:
───────────────────
DefaultEndpointsProtocol=https;
AccountName=mystorageaccount;
AccountKey=base64encodedkey==;
BlobEndpoint=https://mystorageaccount.blob.core.windows.net/;
QueueEndpoint=https://mystorageaccount.queue.core.windows.net/;
TableEndpoint=https://mystorageaccount.table.core.windows.net/;
FileEndpoint=https://mystorageaccount.file.core.windows.net/

Key Management Commands:
══════════════════════

Azure CLI:
─────────
# List access keys
az storage account keys list \
  --resource-group myResourceGroup \
  --account-name mystorageaccount

# Regenerate primary key
az storage account keys renew \
  --resource-group myResourceGroup \
  --account-name mystorageaccount \
  --key primary

PowerShell:
──────────
# Get access keys
Get-AzStorageAccountKey \
  -ResourceGroupName "myResourceGroup" \
  -Name "mystorageaccount"

# Regenerate secondary key
New-AzStorageAccountKey \
  -ResourceGroupName "myResourceGroup" \
  -Name "mystorageaccount" \
  -KeyName key2

Security Best Practices:
══════════════════════
🔐 Store keys in Azure Key Vault, never in code
🔄 Rotate keys regularly (quarterly recommended)
📊 Monitor key usage and access patterns
🎯 Use SAS or Azure AD when possible (more secure)
🚫 Never commit keys to source control
📱 Use managed identities for Azure services
⚠️  Treat account keys like root passwords
🔍 Audit applications using account keys
📋 Document key rotation procedures
🏢 Implement break-glass procedures for emergencies

Study this concept interactively in the AZ-104 app →

Storage Encryption Overview

Explanation

Azure Storage encryption provides comprehensive data protection through multiple layers of encryption at rest and in transit. It includes service-managed encryption, customer-managed keys, infrastructure encryption, and client-side encryption options for maximum security flexibility.

Examples

Automatic encryption of all stored data, using customer-managed keys from Key Vault for compliance, implementing double encryption for highly sensitive data, client-side encryption for zero-trust architectures.

Enterprise Use Case

Organizations use storage encryption to meet compliance requirements (GDPR, HIPAA, SOX), protect sensitive intellectual property, implement zero-trust security models, and maintain data sovereignty in regulated industries.

Diagram

Storage Encryption Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                 🔐 AZURE STORAGE ENCRYPTION                     │
└─────────────────────────────────────────────────────────────────┘

Encryption Layers:
════════════════

1️⃣  SERVICE-SIDE ENCRYPTION (Default)
    ┌─────────────────────────────────────────┐
    │        🛡️  AUTOMATIC ENCRYPTION         │
    ├─────────────────────────────────────────┤
    │ 📊 Data at Rest:                        │
    │  ├─ AES-256 encryption                  │
    │  ├─ Microsoft-managed keys              │
    │  └─ Transparent to applications         │
    │                                         │
    │ 🚛 Data in Transit:                     │
    │  ├─ HTTPS/TLS 1.2+ required            │
    │  ├─ SMB 3.0+ encryption                │
    │  └─ End-to-end protection              │
    └─────────────────────────────────────────┘

2️⃣  CUSTOMER-MANAGED KEYS (CMK)
    ┌─────────────────────────────────────────┐
    │         🔑 CUSTOMER CONTROL             │
    ├─────────────────────────────────────────┤
    │ 🔐 Azure Key Vault Integration:         │
    │  ├─ Customer-owned encryption keys      │
    │  ├─ Key rotation control               │
    │  ├─ Access policy management           │
    │  └─ Audit trail for key usage          │
    │                                         │
    │ 📋 Compliance Benefits:                 │
    │  ├─ BYOK (Bring Your Own Key)          │
    │  ├─ Data sovereignty                   │
    │  ├─ Regulatory compliance              │
    │  └─ Enhanced audit capabilities         │
    └─────────────────────────────────────────┘

3️⃣  INFRASTRUCTURE ENCRYPTION (Double)
    ┌─────────────────────────────────────────┐
    │      🔒🔒 DOUBLE ENCRYPTION              │
    ├─────────────────────────────────────────┤
    │ Layer 1: Service encryption (AES-256)   │
    │ Layer 2: Infrastructure encryption      │
    │                                         │
    │ 🎯 Benefits:                            │
    │  ├─ Protection against implementation   │
    │  │   flaws in any single layer         │
    │  ├─ Defense in depth strategy          │
    │  ├─ Compliance with strict standards   │
    │  └─ Ultimate data protection           │
    └─────────────────────────────────────────┘

4️⃣  CLIENT-SIDE ENCRYPTION
    ┌─────────────────────────────────────────┐
    │        👤 CLIENT CONTROL                │
    ├─────────────────────────────────────────┤
    │ 🔐 Encrypt before upload:               │
    │  ├─ Application-level encryption        │
    │  ├─ Client library integration          │
    │  ├─ Key management by client            │
    │  └─ Zero-trust architecture             │
    │                                         │
    │ ✅ Maximum Security:                    │
    │  ├─ Data encrypted before leaving       │
    │  │   client environment                │
    │  ├─ Microsoft cannot access data       │
    │  ├─ Customer has complete control       │
    │  └─ Ultimate privacy protection         │
    └─────────────────────────────────────────┘

Encryption Flow:
══════════════

Data Upload → Client Encryption → Network Encryption → Service Encryption → Storage

Key Management Options:
═════════════════════

🏢 MICROSOFT-MANAGED KEYS (Default)
├─ ✅ Fully automated
├─ ✅ No management overhead  
├─ ✅ Transparent operation
└─ ❌ Limited customer control

🔑 CUSTOMER-MANAGED KEYS (CMK)
├─ ✅ Customer key ownership
├─ ✅ Granular access control
├─ ✅ Audit trail visibility
├─ ⚠️  Requires Key Vault setup
└─ ⚠️  Customer responsibility

👤 CUSTOMER-PROVIDED KEYS (CPK)
├─ ✅ Maximum customer control
├─ ✅ Zero Microsoft key access
├─ ✅ Ultimate data sovereignty
├─ ⚠️  Complex key management
└─ ⚠️  Higher operational overhead

Configuration Examples:
═════════════════════

Enable CMK with PowerShell:
──────────────────────────
# Create Key Vault key
$key = Add-AzKeyVaultKey \
  -VaultName "mykeyvault" \
  -Name "storagekey" \
  -Destination Software

# Configure storage encryption
Set-AzStorageAccount \
  -ResourceGroupName "myRG" \
  -Name "mystorageaccount" \
  -KeyvaultEncryption \
  -KeyVaultUri $key.VaultUri \
  -KeyName $key.Name

Enable Infrastructure Encryption (CLI):
──────────────────────────────────────
az storage account create \
  --name mystorageaccount \
  --resource-group myResourceGroup \
  --location eastus \
  --sku Standard_LRS \
  --encryption-services blob file \
  --require-infrastructure-encryption

Security Benefits:
════════════════
🔐 Data protection at rest and in transit
🎯 Compliance with regulatory requirements
🔑 Customer control over encryption keys
📊 Comprehensive audit trails
🛡️  Defense in depth security strategy
⚡ Transparent operation (no performance impact)
🌐 Global availability and support
🔄 Automatic key rotation capabilities

Study this concept interactively in the AZ-104 app →

Create and Configure Azure File Shares

Explanation

Azure File shares provide fully managed file shares in the cloud accessible via SMB and NFS protocols. File shares enable legacy applications to migrate to Azure without code changes and provide shared storage for distributed applications.

Examples

Shared application configuration files, shared logs for distributed applications, legacy application file storage, development and testing shared resources, backup and archive storage.

Enterprise Use Case

Organizations use Azure Files to replace on-premises file servers, enable hybrid scenarios with Azure File Sync, provide shared storage for containerized applications, and support legacy applications requiring file shares.

Diagram

Azure File Share Creation & Configuration:

┌─────────────────────────────────────────────────────────────────┐
│               📁 AZURE FILE SHARE ARCHITECTURE                 │
└─────────────────────────────────────────────────────────────────┘

File Share Creation Methods:
══════════════════════════

🖥️  AZURE PORTAL METHOD
    ┌─────────────────────────┐
    │  🏠 Storage Account     │
    │  ├─ 📁 File shares      │
    │  ├─ ➕ + File share     │
    │  ├─ 📝 Name & quota     │
    │  └─ ⚙️  Performance tier │
    └─────────────────────────┘

💻 AZURE CLI METHOD
    ┌─────────────────────────┐
    │  az storage share create│
    │  --name myfileshare     │
    │  --quota 100           │
    │  --account-name storage │
    │  --account-key key     │
    └─────────────────────────┘

🟦 POWERSHELL METHOD
    ┌─────────────────────────┐
    │  New-AzStorageShare     │
    │  -Name "myfileshare"    │
    │  -Context $ctx         │
    │  -Quota 100             │
    └─────────────────────────┘

File Share Configuration:
═══════════════════════

📊 Performance Tiers:
├─ 🔥 Premium (SSD-based, up to 100K IOPS)
├─ 🌐 Standard Transaction Optimized
├─ 💾 Standard Hot (frequently accessed)
└─ ❄️  Standard Cool (infrequently accessed)

🔗 Protocol Support:
├─ 📂 SMB 2.1, 3.0, 3.1.1 (Windows/Linux/macOS)
├─ 🔗 NFS 4.1 (Linux only, Premium tier)
└─ 🌐 REST API access

🔐 Authentication Options:
├─ 🆔 Azure AD Domain Services
├─ 🖥️  On-premises AD DS
├─ 🔑 Storage account key
└─ 🎟️  SAS tokens

Mount Examples:
═════════════

Windows Mount:
─────────────
net use Z: \\mystorageaccount.file.core.windows.net\myfileshare /persistent:yes

Linux Mount:
───────────
sudo mount -t cifs //mystorageaccount.file.core.windows.net/myfileshare /mnt/myfileshare -o username=mystorageaccount,password=storagekey,dir_mode=0777,file_mode=0777

PowerShell Mount:
────────────────
$connectTestResult = Test-NetConnection -ComputerName mystorageaccount.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\mystorageaccount.file.core.windows.net\myfileshare" -Persist
}

Study this concept interactively in the AZ-104 app →

Create Azure File Shares (Portal)

Explanation

Azure Portal provides an intuitive web interface for creating and managing Azure File shares with visual configuration options, quota settings, and access tier selection through guided workflows.

Examples

Creating shared storage for applications, setting up development team shared folders, configuring backup destinations, establishing shared configuration storage.

Enterprise Use Case

Portal is preferred for initial setup, one-time configurations, visual quota management, and users who prefer GUI-based file share administration.

Diagram

Portal File Share Creation Workflow:

┌─────────────────────────────────────────────────────────────────┐
│             🖥️  AZURE PORTAL FILE SHARE CREATION              │
└─────────────────────────────────────────────────────────────────┘

Step-by-Step Portal Process:
═══════════════════════════

1️⃣  Navigate to Storage Account
    ┌─────────────────────────┐
    │  🏠 Azure Portal Home   │
    │  ├─ 📦 Storage Accounts │
    │  ├─ 🔍 Select Account   │
    │  └─ 📁 File shares      │
    └─────────────────────────┘

2️⃣  Create File Share
    ┌─────────────────────────┐
    │  📁 File shares blade   │
    │  ┌─────────────────┐   │
    │  │ ➕ + File share │   │
    │  └─────────────────┘   │
    │  ├─ 📋 Existing shares │
    │  └─ 🔄 Refresh         │
    └─────────────────────────┘

3️⃣  Configure Share Settings
    ┌─────────────────────────┐
    │  ⚙️  File Share Setup   │
    │                         │
    │  📝 Name: [myshare]     │
    │                         │
    │  📊 Performance Tier:   │
    │  ○ Transaction optimized│
    │  ○ Hot                  │
    │  ○ Cool                 │
    │  ● Premium              │
    │                         │
    │  📐 Quota: [100] GiB    │
    │                         │
    │  🔐 Access Tier:        │
    │  ● TransactionOptimized │
    │  ○ Hot                  │
    │  ○ Cool                 │
    │                         │
    │  [✅ Create]            │
    └─────────────────────────┘

4️⃣  File Share Management
    ┌─────────────────────────┐
    │  📁 myshare - Created   │
    │                         │
    │  📊 Overview            │
    │  ├─ 📈 Usage metrics    │
    │  ├─ 🔗 Connection info  │
    │  └─ 📋 Properties       │
    │                         │
    │  🛠️  Management         │
    │  ├─ 📂 Browse files     │
    │  ├─ 🔐 Access policy    │
    │  ├─ 📸 Snapshots        │
    │  └─ 🔄 Backup           │
    └─────────────────────────┘

Portal Configuration Options:
═══════════════════════════

Performance Tiers:
─────────────────
🔥 Premium: SSD-based, up to 100,000 IOPS
🌐 Transaction Optimized: Balanced performance/cost
💾 Hot: Frequently accessed data
❄️  Cool: Infrequently accessed data

Access Protocols:
───────────────
📂 SMB: Windows, Linux, macOS support
🔗 NFS: Linux-only (Premium tier)
🌐 REST: API-based access

Portal Benefits:
══════════════
✅ Visual quota management
✅ Real-time usage monitoring
✅ Integrated connection strings
✅ Access policy configuration
✅ Snapshot management
✅ No command-line knowledge required

Common Portal Tasks:
──────────────────
📁 Upload/download files via browser
📋 Copy connection strings
📸 Create file share snapshots
🔐 Configure access permissions
📊 Monitor usage and performance
🔄 Set up backup policies

Study this concept interactively in the AZ-104 app →

Create Azure File Shares (CLI)

Explanation

Azure CLI provides command-line tools for programmatic file share creation and management. CLI offers automation capabilities, scripting integration, and precise parameter control for Azure File share operations.

Examples

Automated file share provisioning in deployment scripts, batch creating multiple shares, CI/CD pipeline integration, programmatic quota management.

Enterprise Use Case

DevOps teams use CLI for automation, system administrators prefer it for scripting, developers integrate it with infrastructure-as-code workflows.

Diagram

CLI File Share Creation Commands:

┌─────────────────────────────────────────────────────────────────┐
│               💻 AZURE CLI FILE SHARE OPERATIONS               │
└─────────────────────────────────────────────────────────────────┘

Authentication & Setup:
══════════════════════
# Login to Azure
az login

# Set subscription
az account set --subscription "Your Subscription"

# Set default storage account
az configure --defaults storage-account=mystorageaccount

Basic File Share Creation:
═════════════════════════

# Simple file share
az storage share create \
  --name myfileshare \
  --quota 100 \
  --account-name mystorageaccount \
  --account-key "storagekey"

# With connection string
az storage share create \
  --name myfileshare \
  --quota 100 \
  --connection-string "DefaultEndpointsProtocol=https;..."

# Premium file share
az storage share create \
  --name premiumshare \
  --quota 100 \
  --account-name premiumstorage \
  --account-key "key" \
  --metadata Department=IT Environment=Production

Advanced Share Configuration:
═══════════════════════════

# File share with specific access tier
az storage share create \
  --name myshare \
  --quota 500 \
  --access-tier Hot \
  --account-name mystorageaccount

# Multiple shares with automation
shares=("dev-share" "test-share" "prod-share")
quotas=(50 100 500)

for i in "${!shares[@]}"; do
  az storage share create \
    --name "${shares[i]}" \
    --quota "${quotas[i]}" \
    --account-name mystorageaccount \
    --metadata Environment=${shares[i]%-*}
done

File Share Management:
════════════════════

# List all file shares
az storage share list \
  --account-name mystorageaccount \
  --account-key "key" \
  --output table

# Show file share properties
az storage share show \
  --name myfileshare \
  --account-name mystorageaccount \
  --account-key "key"

# Update file share quota
az storage share update \
  --name myfileshare \
  --quota 200 \
  --account-name mystorageaccount

# Delete file share
az storage share delete \
  --name myfileshare \
  --account-name mystorageaccount \
  --delete-snapshots include

# Generate SAS token for file share
az storage share generate-sas \
  --name myfileshare \
  --permissions rwdl \
  --expiry 2024-12-31T23:59:00Z \
  --account-name mystorageaccount \
  --account-key "key"

File Operations:
══════════════

# Upload file to share
az storage file upload \
  --share-name myfileshare \
  --source ./localfile.txt \
  --path remotefile.txt \
  --account-name mystorageaccount

# Download file from share
az storage file download \
  --share-name myfileshare \
  --path remotefile.txt \
  --dest ./downloadedfile.txt \
  --account-name mystorageaccount

# List files in share
az storage file list \
  --share-name myfileshare \
  --account-name mystorageaccount \
  --output table

Automation Examples:
──────────────────

# Backup automation script
#!/bin/bash
SHARE_NAME="backup-$(date +%Y%m%d)"
az storage share create \
  --name $SHARE_NAME \
  --quota 1000 \
  --metadata BackupDate=$(date +%Y-%m-%d) \
  --account-name backupstorage

# Development environment setup
az storage share create --name dev-configs --quota 10
az storage share create --name dev-logs --quota 50  
az storage share create --name dev-data --quota 100

CLI Benefits:
───────────
🚀 Fast command execution
📜 Perfect for automation and scripting
🔄 Easy CI/CD integration
⚡ Batch operations support
🎯 Precise parameter control
📊 JSON output for processing
🔧 Advanced filtering and querying

Study this concept interactively in the AZ-104 app →

Create Azure File Shares (PowerShell)

Explanation

Azure PowerShell provides object-oriented file share management through cmdlets. PowerShell offers rich object manipulation, pipeline processing, and Windows-native integration for Azure File share operations.

Examples

PowerShell scripts for enterprise file share management, Windows-integrated automation, object-based share property manipulation, advanced filtering and reporting.

Enterprise Use Case

Windows administrators prefer PowerShell for automation, enterprises with PowerShell-based infrastructure use it for consistency, Windows-centric environments requiring native integration.

Diagram

PowerShell File Share Management:

┌─────────────────────────────────────────────────────────────────┐
│            🟦 AZURE POWERSHELL FILE SHARE OPERATIONS           │
└─────────────────────────────────────────────────────────────────┘

Module Installation & Setup:
═══════════════════════════
# Install Azure PowerShell
Install-Module -Name Az -Force -AllowClobber

# Import storage module
Import-Module Az.Storage
Import-Module Az.Accounts

# Connect to Azure
Connect-AzAccount

# Set subscription context
Set-AzContext -SubscriptionName "Your Subscription"

Basic File Share Creation:
═════════════════════════

# Get storage account context
$storageAccount = Get-AzStorageAccount \
  -ResourceGroupName "myResourceGroup" \
  -Name "mystorageaccount"

$ctx = $storageAccount.Context

# Create simple file share
New-AzStorageShare \
  -Name "myfileshare" \
  -Context $ctx

# Create file share with quota
New-AzStorageShare \
  -Name "myfileshare" \
  -Context $ctx \
  -Quota 100

# Create premium file share with metadata
$metadata = @{
    "Department" = "IT"
    "Environment" = "Production"
    "Owner" = "AdminTeam"
}

New-AzStorageShare \
  -Name "premium-share" \
  -Context $ctx \
  -Quota 500 \
  -Metadata $metadata

Advanced Share Operations:
════════════════════════

# Create multiple file shares
$shares = @(
    @{Name="dev-share"; Quota=50; Tier="TransactionOptimized"},
    @{Name="test-share"; Quota=100; Tier="Hot"},
    @{Name="prod-share"; Quota=500; Tier="Premium"}
)

$shares | ForEach-Object {
    New-AzStorageShare \
        -Name $_.Name \
        -Context $ctx \
        -Quota $_.Quota \
        -AccessTier $_.Tier
}

# File share with specific access tier
New-AzStorageShare \
  -Name "hot-data-share" \
  -Context $ctx \
  -Quota 200 \
  -AccessTier Hot

File Share Management:
════════════════════

# List all file shares
Get-AzStorageShare -Context $ctx

# Get specific file share
Get-AzStorageShare -Name "myfileshare" -Context $ctx

# Get file share properties
$share = Get-AzStorageShare -Name "myfileshare" -Context $ctx
$share.Properties
$share.Metadata

# Update file share quota
Set-AzStorageShareQuota \
  -ShareName "myfileshare" \
  -Quota 200 \
  -Context $ctx

# Remove file share
Remove-AzStorageShare \
  -Name "myfileshare" \
  -Context $ctx \
  -Force

Pipeline Processing Examples:
═══════════════════════════

# Get shares and filter by size
Get-AzStorageShare -Context $ctx | 
  Where-Object { $_.Quota -gt 100 } |
  Select-Object Name, Quota, LastModified

# Bulk quota updates
Get-AzStorageShare -Context $ctx |
  Where-Object { $_.Name -like "*dev*" } |
  ForEach-Object { 
    Set-AzStorageShareQuota -ShareName $_.Name -Quota 75 -Context $ctx 
  }

# Export share information
Get-AzStorageShare -Context $ctx |
  Select-Object Name, Quota, LastModified, @{Name="SizeGB";Expression={($_.Properties.Usage/1GB).ToString("F2")}} |
  Export-Csv -Path "file-shares-report.csv" -NoTypeInformation

File Operations:
══════════════

# Upload file to share
$share = Get-AzStorageShare -Name "myfileshare" -Context $ctx
Set-AzStorageFileContent \
  -Share $share \
  -Source "C:\local\file.txt" \
  -Path "remote/file.txt"

# Download file from share
Get-AzStorageFileContent \
  -Share $share \
  -Path "remote/file.txt" \
  -Destination "C:\download\file.txt"

# List files in share
Get-AzStorageFile -Share $share

SAS Token Generation:
═══════════════════

# Generate file share SAS token
New-AzStorageShareSASToken \
  -Name "myfileshare" \
  -Permission rwdl \
  -ExpiryTime (Get-Date).AddDays(30) \
  -Context $ctx

# Generate file-specific SAS
$share = Get-AzStorageShare -Name "myfileshare" -Context $ctx
New-AzStorageFileSASToken \
  -Share $share \
  -Path "important-file.pdf" \
  -Permission r \
  -ExpiryTime (Get-Date).AddHours(24)

PowerShell Benefits:
─────────────────
🔷 Object-oriented file share management
🔄 Rich pipeline processing capabilities
🪟 Native Windows integration
📊 Advanced filtering and reporting
🎯 Strongly typed objects and properties
⚡ Efficient bulk operations
📜 Excellent for complex automation scenarios
🔧 Comprehensive error handling and logging

Study this concept interactively in the AZ-104 app →

Azure Storage Firewalls and Virtual Networks

Explanation

Azure Storage firewalls provide network-level security by restricting access to storage accounts based on IP addresses, virtual networks, and subnets. This creates a secure perimeter around your storage data.

Examples

Restrict access to specific corporate IP ranges, allow only production VNets, block public internet access, configure service endpoints for Azure services.

Enterprise Use Case

Organizations use storage firewalls to enforce network isolation, comply with security policies, prevent data exfiltration, and implement defense-in-depth strategies.

Diagram

Storage Firewall Configuration:

┌─────────────────────────────────────────────────────────────────┐
│                🏢 AZURE STORAGE ACCOUNT                        │
│                    (mystorageaccount)                           │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                    🛡️ STORAGE FIREWALL                         │
│                                                                 │
│  📍 Network Rules:                                              │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ ✅ ALLOWED ACCESS                                       │   │
│  │ ───────────────                                         │   │
│  │ • 🏢 Corporate VNet (10.0.0.0/16)                       │   │
│  │ • 🌐 Office IP Range (203.0.113.0/24)                   │   │
│  │ • ⚡ Azure Services (Trusted Microsoft Services)        │   │
│  │ • 🔗 Service Endpoints from approved subnets            │   │
│  └─────────────────────────────────────────────────────────┘   │
│                                                                 │
│  ❌ BLOCKED ACCESS:                                             │
│  • 🌍 Public Internet (Default Deny)                           │
│  • 🏠 Home Networks                                             │
│  • 🤖 Unauthorized Services                                     │
└─────────────────────────────────────────────────────────────────┘

Configuration Methods:
─────────────────────

🖥️ Azure Portal:
Storage Account → Networking → Firewalls and virtual networks
• Selected networks
• Add virtual network
• Add IP address range

💻 Azure CLI:
# Add VNet rule
az storage account network-rule add \
  --account-name mystorageaccount \
  --resource-group myRG \
  --vnet-name myVNet \
  --subnet mySubnet

# Add IP rule
az storage account network-rule add \
  --account-name mystorageaccount \
  --resource-group myRG \
  --ip-address 203.0.113.100

⚡ PowerShell:
# Configure network access
Add-AzStorageAccountNetworkRule \
  -ResourceGroupName "myRG" \
  -AccountName "mystorageaccount" \
  -VirtualNetworkResourceId "/subscriptions/.../myVNet"

Security Benefits:
─────────────────
🔒 Network-level access control
🛡️ Defense against unauthorized access
📊 Audit trail of network access attempts
🎯 Granular control over data plane access

Study this concept interactively in the AZ-104 app →

Identity-based Access for Azure Files

Explanation

Identity-based access for Azure Files enables authentication and authorization using Azure AD identities instead of storage account keys. This provides granular, identity-based security controls for file shares.

Examples

Domain-joined Windows VMs accessing file shares with AD credentials, Azure AD users mounting file shares, service principals accessing files programmatically, RBAC role assignments for file access.

Enterprise Use Case

Organizations use identity-based access to integrate file shares with existing AD infrastructure, eliminate shared keys, implement least-privilege access, and maintain audit trails.

Diagram

Identity-based Access Architecture:

┌─────────────────────────────────────────────────────────────────┐
│                   👥 AZURE ACTIVE DIRECTORY                    │
│                                                                 │
│  🏢 On-premises AD ←→ 🔄 Azure AD Connect ←→ ☁️ Azure AD        │
│                                                                 │
│  Users: john@company.com, mary@company.com                      │
│  Groups: Finance, HR, Developers                               │
└─────────────────┬───────────────────────────────────────────────┘
                  │ 🔐 Authentication
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                🎯 RBAC ROLE ASSIGNMENTS                        │
│                                                                 │
│  john@company.com → 📁 Storage File Data SMB Share Contributor │
│  mary@company.com → 📄 Storage File Data SMB Share Reader      │
│  HR Group → 📁 Storage File Data SMB Share Contributor         │
└─────────────────┬───────────────────────────────────────────────┘
                  │ ✅ Authorization
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                💾 AZURE FILE SHARE                             │
│                                                                 │
│  📂 company-data/                                               │
│  ├─ 📁 finance/      (HR Group: Read/Write)                    │
│  ├─ 📁 hr/           (john@company.com: Read/Write)            │
│  └─ 📁 shared/       (mary@company.com: Read Only)             │
│                                                                 │
│  🔗 Access Methods:                                             │
│  • 🪟 Windows: net use Z: \\storageaccount.file.core...      │
│  • 🐧 Linux: mount -t cifs //storageaccount.file.core...       │
│  • 📱 REST API: Bearer token authentication                     │
└─────────────────────────────────────────────────────────────────┘

Configuration Steps:
──────────────────

1️⃣ Enable Azure AD DS or AD Connect
2️⃣ Configure storage account for identity access:

# Enable Azure AD authentication
az storage account update \
  --name mystorageaccount \
  --resource-group myRG \
  --enable-files-aadds true

3️⃣ Assign RBAC roles:

# Grant contributor access to user
az role assignment create \
  --role "Storage File Data SMB Share Contributor" \
  --assignee john@company.com \
  --scope "/subscriptions/.../storageAccounts/mystorageaccount"

4️⃣ Mount with identity:

# Windows (domain-joined)
net use Z: \\mystorageaccount.file.core.windows.net\myshare

# Linux with Azure AD token
mount -t cifs //mystorageaccount.file.core.windows.net/myshare /mnt/myshare \
  -o username=john@company.com,password="",dir_mode=0777,file_mode=0777

Benefits:
────────
🔐 Centralized identity management
🛡️ No shared storage keys
📊 Detailed access auditing
🎯 Granular permissions per user/group
🔄 Integration with existing AD infrastructure

Study this concept interactively in the AZ-104 app →

Azure Storage Redundancy Types (LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS)

Explanation

Azure Storage redundancy options protect your data against hardware failures, datacenter outages, and regional disasters. Each redundancy type offers different levels of durability, availability, and cost.

Examples

LRS for development environments, GRS for production backups, ZRS for high-availability applications in single regions, GZRS for mission-critical applications requiring both high availability and disaster recovery.

Enterprise Use Case

Organizations choose redundancy based on their availability requirements, disaster recovery needs, compliance requirements, and budget constraints.

Diagram

Storage Redundancy Options:

┌─────────────────────────────────────────────────────────────────┐
│                  🏢 REDUNDANCY COMPARISON                       │
└─────────────────────────────────────────────────────────────────┘

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                         📍 LRS                                  ┃
┃                (Locally Redundant Storage)                      ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

🏢 Single Datacenter - East US:
┌─────────────────────────────────────────────────────────────┐
│                    East US Datacenter                      │
│                                                             │
│  Rack 1         Rack 2         Rack 3                      │
│  ┌─────┐       ┌─────┐       ┌─────┐                       │
│  │ 💾  │       │ 💾  │       │ 💾  │  ← 3 Copies           │  
│  │Copy1│       │Copy2│       │Copy3│    Same Data          │
│  └─────┘       └─────┘       └─────┘                       │
└─────────────────────────────────────────────────────────────┘

💰 Cost: Lowest    🛡️ Durability: 99.999999999% (11 nines)
🎯 Use Case: Development, non-critical data, cost-sensitive

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                         🏗️ ZRS                                  ┃
┃                (Zone Redundant Storage)                         ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

🌆 Multiple Zones - East US Region:
┌─────────────────────────────────────────────────────────────┐
│                      East US Region                        │
│                                                             │
│ Zone 1          Zone 2          Zone 3                     │
│ ┌─────────┐    ┌─────────┐     ┌─────────┐                 │
│ │📍DC-A   │    │📍DC-B   │     │📍DC-C   │                 │
│ │ ┌─────┐ │    │ ┌─────┐ │     │ ┌─────┐ │                 │
│ │ │ 💾  │ │    │ │ 💾  │ │     │ │ 💾  │ │ ← 3 Copies      │
│ │ │Copy1│ │    │ │Copy2│ │     │ │Copy3│ │   Different     │
│ │ └─────┘ │    │ └─────┘ │     │ └─────┘ │   Zones         │
│ └─────────┘    └─────────┘     └─────────┘                 │
└─────────────────────────────────────────────────────────────┘

💰 Cost: Medium    🛡️ Durability: 99.9999999999% (12 nines)
🎯 Use Case: High availability within region, zone failures protection

📊 Decision Matrix:
─────────────────

Requirement                     │ Recommended
──────────────────────────────┼─────────────
Development/Testing           │ LRS
Production (Single Region)    │ ZRS
Business Critical            │ GRS or GZRS
Need Read Access During DR   │ RA-GRS or RA-GZRS
Maximum Availability         │ GZRS or RA-GZRS
Cost Optimization           │ LRS
Compliance Requirements      │ GRS+ (check specifics)

🔧 Configuration Examples:
────────────────────────

# Create with LRS
az storage account create \
  --sku Standard_LRS \
  --name mystorageaccount \
  --resource-group myRG

# Create with ZRS  
az storage account create \
  --sku Standard_ZRS \
  --name mystorageaccount \
  --resource-group myRG

# Create with GRS
az storage account create \
  --sku Standard_GRS \
  --name mystorageaccount \
  --resource-group myRG

Study this concept interactively in the AZ-104 app →

Azure Storage Account Failover

Explanation

Storage account failover allows you to initiate failover of your storage account to the secondary region in case of primary region unavailability. This feature is available for GRS, RA-GRS, GZRS, and RA-GZRS accounts.

Examples

Failover during regional disasters, planned maintenance scenarios, testing disaster recovery procedures, switching regions for compliance reasons.

Enterprise Use Case

Organizations use storage failover for business continuity, disaster recovery planning, compliance with data residency requirements, and maintaining service availability during outages.

Diagram

Storage Account Failover Process:

┌─────────────────────────────────────────────────────────────────┐
│                    🚨 DISASTER SCENARIO                         │
└─────────────────────────────────────────────────────────────────┘

BEFORE FAILOVER:
═══════════════
┌─────────────────────────────────┐  ┌─────────────────────────────────┐
│         🏢 PRIMARY              │  │        🏢 SECONDARY             │
│       East US Region            │  │       West US Region            │
│                                 │  │                                 │
│  📊 Storage Account             │  │  📊 Storage Account             │
│  ├─ 🔄 Read/Write Access        │  │  ├─ 📖 Read-Only (RA-GRS)       │
│  ├─ 💾 Live Data                ├──┼──┤ 💾 Replicated Data            │
│  ├─ 🌐 Public Endpoint          │  │  ├─ 🌐 Secondary Endpoint       │
│  └─ ✅ Healthy                  │  │  └─ ✅ Ready                    │
│                                 │  │                                 │
│         👥 Applications         │  │                                 │
│         ↕️ Active Traffic       │  │                                 │
└─────────────────────────────────┘  └─────────────────────────────────┘
                ▲                                      ▲
          🔥 OUTAGE OCCURS!                      🚀 Initiate Failover

AFTER FAILOVER:
══════════════
┌─────────────────────────────────┐  ┌─────────────────────────────────┐
│         🚨 OLD PRIMARY          │  │        🏢 NEW PRIMARY           │
│       East US Region            │  │       West US Region            │
│         (Still Down)            │  │        (Now Active)             │
│                                 │  │                                 │
│  📊 Storage Account             │  │  📊 Storage Account             │
│  ├─ ❌ No Access                │  │  ├─ 🔄 Read/Write Access        │
│  ├─ 💾 Inaccessible Data        │  │  ├─ 💾 Live Data (Now Primary)  │
│  ├─ 🌐 Endpoint Down            │  │  ├─ 🌐 Primary Endpoint         │
│  └─ 🔥 Still Outage             │  │  └─ ✅ Operational              │
│                                 │  │                                 │
│     🚫 No Traffic               │  │         👥 Applications         │
│                                 │  │         ↕️ Active Traffic       │
└─────────────────────────────────┘  └─────────────────────────────────┘
                                               🎯 Service Restored!

🔧 Failover Initiation Methods:
─────────────────────────────

🖥️ Azure Portal:
Storage Account → Geo-replication → Prepare for failover → Failover

💻 Azure CLI:
# Initiate account failover
az storage account failover \
  --name mystorageaccount \
  --resource-group myRG \
  --yes

⚡ PowerShell:
# Invoke storage account failover
Invoke-AzStorageAccountFailover \
  -ResourceGroupName "myRG" \
  -Name "mystorageaccount" \
  -Force

⚠️ Important Failover Considerations:
───────────────────────────────────

🔄 Failover Characteristics:
• ⏱️ Time: Typically ~1 hour (can vary)
• 📊 Data Loss: Potential data loss (check Last Sync Time)
• 🔄 Reversible: Original region becomes secondary when recovered
• 💾 LRS Conversion: Account becomes LRS in new region
• 🌐 Endpoint: Primary endpoint switches to new region

🛡️ Best Practices:
──────────────────

🔍 Before Failover:
• 📊 Check Last Sync Time for potential data loss
• 🛑 Stop write operations to minimize data loss
• 📋 Document current configuration
• 👥 Notify application teams

✅ After Failover:
• 🔍 Verify data integrity
• 📊 Update application connection strings
• 🛠️ Reconfigure redundancy (if needed)
• 📋 Test application functionality

Study this concept interactively in the AZ-104 app →

Create and Configure Storage Accounts

Explanation

📚 Explanation: Azure Storage accounts serve as the fundamental container for all Azure Storage services including blobs, files, queues, and tables. Each storage account provides a unique namespace and endpoint for accessing your data.

Examples

💡 Examples: Create storage accounts for different environments (dev/prod), separate accounts for compliance, dedicated accounts for backup data, accounts optimized for specific performance requirements.

Enterprise Use Case

🏢 Use Case: Organizations create multiple storage accounts to organize data by environment, compliance requirements, geographical regions, or performance needs while maintaining security boundaries.

Diagram

🎨 Visual: Storage Account Creation Process:

┌─────────────────────────────────────────────────────────────────┐
│                🏗️ STORAGE ACCOUNT CREATION                     │
└─────────────────────────────────────────────────────────────────┘

Creation Methods:
─────────────────

🖥️ Azure Portal:
┌─────────────────────────────────────────────────────────────┐
│ Azure Portal → Storage accounts → + Create                 │
│                                                             │
│ Step 1: Basics                                             │
│ • Subscription: Production                                  │
│ • Resource Group: storage-rg                               │
│ • Storage account name: mystorageaccount                   │
│ • Region: East US                                           │
│ • Performance: Standard/Premium                             │
│ • Redundancy: LRS/ZRS/GRS/GZRS                            │
│                                                             │
│ Step 2: Advanced                                           │
│ • Security: Secure transfer, TLS version                   │
│ • Data Lake: Hierarchical namespace                        │
│ • Blob access: Hot/Cool/Archive tiers                      │
│                                                             │
│ Step 3: Networking                                         │
│ • Connectivity: Public/Private endpoints                    │
│ • Network routing: Microsoft/Internet                       │
│                                                             │
│ Step 4: Data protection                                    │
│ • Recovery: Point-in-time restore                          │
│ • Tracking: Blob versioning, change feed                   │
│                                                             │
│ [Review + create] → [Create]                               │
└─────────────────────────────────────────────────────────────┘

💻 Azure CLI:
# Basic storage account
az storage account create \
  --name mystorageaccount \
  --resource-group myResourceGroup \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

# Advanced configuration
az storage account create \
  --name premiumstorage \
  --resource-group myResourceGroup \
  --location eastus \
  --sku Premium_LRS \
  --kind StorageV2 \
  --https-only true \
  --min-tls-version TLS1_2 \
  --allow-blob-public-access false

⚡ PowerShell:
# Create with detailed configuration
New-AzStorageAccount \
  -ResourceGroupName "myResourceGroup" \
  -Name "mystorageaccount" \
  -Location "East US" \
  -SkuName "Standard_GRS" \
  -Kind "StorageV2" \
  -EnableHttpsTrafficOnly $true \
  -MinimumTlsVersion "TLS1_2"

Configuration Options:
────────────────────

📊 Performance Tiers:
• Standard: Cost-optimized, HDD-backed
• Premium: High-performance, SSD-backed

🔄 Redundancy Options:
• LRS: 3 copies in single location
• ZRS: 3 copies across availability zones  
• GRS: 6 copies across two regions
• GZRS: Zone + geo redundant

🎯 Account Types:
• StorageV2: General purpose v2 (recommended)
• BlobStorage: Blob-specific storage
• FileStorage: Premium file shares
• BlockBlobStorage: Premium block blobs

Best Practices:
──────────────
✅ Use meaningful naming conventions
✅ Enable secure transfer (HTTPS only)
✅ Configure appropriate redundancy
✅ Set minimum TLS version to 1.2
✅ Disable public blob access by default
✅ Enable storage logging and monitoring

Study this concept interactively in the AZ-104 app →

Standard vs. Premium Storage Accounts

Explanation

📚 Explanation: Azure offers Standard and Premium storage account types optimized for different performance, cost, and use case requirements. Understanding the differences helps choose the right storage tier for your workloads.

Examples

💡 Examples: Standard for general file storage and backups, Premium for high-IOPS databases, Standard for development environments, Premium for production applications requiring consistent low latency.

Enterprise Use Case

🏢 Use Case: Organizations use Standard storage for cost-effective general purposes and Premium storage for performance-critical applications, databases, and workloads requiring guaranteed performance.

Diagram

🎨 Visual: Standard vs Premium Storage Comparison:

┌─────────────────────────────────────────────────────────────────┐
│                    💾 STORAGE ACCOUNT TYPES                    │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────┬───────────────────────────────────┐
│           📊 STANDARD           │            ⚡ PREMIUM             │
│         (Cost-Optimized)        │        (Performance-Optimized)   │
├─────────────────────────────────┼───────────────────────────────────┤
│                                 │                                   │
│ 💰 Cost Characteristics:        │ 💰 Cost Characteristics:          │
│ ────────────────────            │ ────────────────────              │
│ • 💵 Lower cost per GB           │ • 💎 Higher cost per GB           │
│ • 📈 Variable performance        │ • 🎯 Predictable performance      │
│ • 🔄 Pay-as-you-use model       │ • ⚡ Premium pricing model        │
│                                 │                                   │
│ 📊 Performance Specs:           │ 📊 Performance Specs:             │
│ ───────────────────             │ ───────────────────               │
│ • 🐌 Up to 20,000 IOPS          │ • 🚀 Up to 80,000+ IOPS          │
│ • 📶 Up to 500 MB/s throughput  │ • 📶 Up to 2,000 MB/s throughput │
│ • ⏱️ Variable latency           │ • ⏱️ Sub-millisecond latency     │
│ • 🔄 Best effort delivery       │ • 🎯 Guaranteed performance       │
│                                 │                                   │
│ 🎯 Ideal Use Cases:             │ 🎯 Ideal Use Cases:               │
│ ─────────────────               │ ─────────────────                 │
│ • 📁 General file storage       │ • 🗄️ High-performance databases  │
│ • 💾 Backup and archive         │ • 📊 Data analytics workloads     │
│ • 🧪 Development/testing        │ • 🎮 Gaming applications          │
│ • 📧 Email and collaboration    │ • 🎥 Media streaming               │
│ • 📄 Document management        │ • 🤖 Machine learning training    │
│ • 🌐 Web application assets     │ • 📈 Real-time analytics          │
└─────────────────────────────────┴───────────────────────────────────┘

💡 Decision Matrix:
─────────────────

Choose STANDARD when:
✅ Cost optimization is priority
✅ General-purpose storage needs
✅ Backup and archival scenarios  
✅ Development/testing environments
✅ Tolerant of variable performance
✅ Need all storage services (Queue/Table)

Choose PREMIUM when:
✅ Performance is critical
✅ Consistent low latency required
✅ High IOPS/throughput workloads
✅ Production database storage
✅ Real-time applications
✅ SLA-backed performance guarantees

📋 Creation Examples:
───────────────────

# Standard Storage Account
az storage account create \
  --name mystandardstorage \
  --resource-group myRG \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

# Premium Storage Account  
az storage account create \
  --name mypremiumstorage \
  --resource-group myRG \
  --location eastus \
  --sku Premium_LRS \
  --kind StorageV2

Study this concept interactively in the AZ-104 app →

Azure Storage Types and Services

Explanation

📚 Explanation: Azure Storage offers multiple service types designed for different data storage needs: Blob Storage for objects, File Storage for file shares, Queue Storage for messaging, and Table Storage for NoSQL data.

Examples

💡 Examples: Blob Storage for images and documents, File Storage for shared network drives, Queue Storage for application messaging, Table Storage for structured NoSQL data like user profiles.

Enterprise Use Case

🏢 Use Case: Organizations use different storage types based on data structure and access patterns: unstructured data (Blob), shared file access (File), asynchronous messaging (Queue), and fast NoSQL lookups (Table).

Diagram

🎨 Visual: Azure Storage Service Types:

┌─────────────────────────────────────────────────────────────────┐
│                💾 AZURE STORAGE ACCOUNT                        │
│                 (mystorageaccount)                              │
└─┬─────────────┬─────────────┬─────────────┬───────────────────┘
  │             │             │             │
  ▼             ▼             ▼             ▼
┌─────────────┐┌─────────────┐┌─────────────┐┌─────────────────┐
│  🧊 BLOB     ││  📁 FILE    ││  📊 QUEUE   ││  🗃️ TABLE       │
│  STORAGE     ││  STORAGE    ││  STORAGE    ││  STORAGE        │
└─────────────┘└─────────────┘└─────────────┘└─────────────────┘

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                    🧊 BLOB STORAGE                              ┃
┃                  (Object Storage)                               ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

🎯 Use Cases: Web assets, backups, data lakes, CDN content
💰 Pricing: Pay per GB stored + operations
🔄 Access Tiers: Hot, Cool, Archive
📊 Max Size: 5 PB per account

┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃                    📁 FILE STORAGE                              ┃
┃                  (Network File Shares)                          ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

🎯 Use Cases: Network drives, lift-and-shift migrations, shared storage
💰 Pricing: Pay per GB provisioned
🔄 Protocols: SMB 3.0, REST API
📊 Max Size: 100 TiB per share

🛠️ Service Selection Guide:
──────────────────────────

Choose BLOB when:
✅ Storing files, images, videos
✅ Static website content
✅ Backup and archival
✅ Data lake scenarios

Choose FILE when:
✅ Replacing network file shares
✅ Lift-and-shift migrations
✅ Configuration files
✅ Shared application data

Choose QUEUE when:
✅ Decoupling application components
✅ Background job processing
✅ Load leveling
✅ Reliable messaging

Choose TABLE when:
✅ Fast NoSQL lookups
✅ User profiles and metadata
✅ IoT device data
✅ Simple structured data

Study this concept interactively in the AZ-104 app →

Manage Data using Azure Storage Explorer and AzCopy

Explanation

📚 Explanation: Azure Storage Explorer and AzCopy are complementary tools for managing Azure Storage data. Storage Explorer provides a GUI for interactive management, while AzCopy offers command-line bulk data operations and automation capabilities.

Examples

💡 Examples: Use Storage Explorer for browsing and managing files visually, AzCopy for automated backup scripts, bulk data migrations, scheduled data transfers, and CI/CD pipeline integrations.

Enterprise Use Case

🏢 Use Case: Organizations use Storage Explorer for day-to-day management and troubleshooting, and AzCopy for automated data operations, large-scale migrations, and DevOps workflows.

Diagram

🎨 Visual: Storage Management Tools Comparison:

┌─────────────────────────────────────────────────────────────────┐
│                🛠️ STORAGE MANAGEMENT TOOLS                     │
└─────────────────────────────────────────────────────────────────┘

🖥️ AZURE STORAGE EXPLORER              💻 AZCOPY
(GUI Tool)                             (Command Line Tool)
─────────────                          ─────────────────

Features:                              Features:
• 🎯 Visual file browser               • 🚀 High-speed data transfer
• 📁 Drag-and-drop operations          • 📜 Scriptable automation
• 🔍 Search and filter                 • 🔄 Resumable transfers
• 📊 Property management               • 📋 Detailed logging
• 🔐 Multiple authentication methods   • ⚡ Parallel operations
• 🌐 Cross-platform support            • 🎯 Pattern-based operations

Use Cases:                             Use Cases:
• 👀 Browse storage contents           • 📦 Bulk data migration
• 🔧 Troubleshoot access issues        • 🔄 Scheduled backups
• 📝 Upload/download small files       • 🤖 Automated workflows
• ⚙️ Configure container settings      • 📊 Large dataset transfers
• 🔍 Investigate storage problems      • 🏗️ CI/CD integrations

┌─────────────────────────────────────────────────────────────────┐
│                    🎯 WHEN TO USE WHICH                        │
├─────────────────────────────────┬───────────────────────────────┤
│        📱 Storage Explorer       │           💻 AzCopy           │
├─────────────────────────────────┼───────────────────────────────┤
│ ✅ Interactive management       │ ✅ Automated operations       │
│ ✅ Visual exploration           │ ✅ Bulk data transfer        │
│ ✅ Learning and training        │ ✅ Production scripts        │
│ ✅ Troubleshooting issues       │ ✅ Performance-critical tasks │
│ ✅ Small file operations        │ ✅ Large dataset migration   │
│ ✅ Container configuration      │ ✅ Scheduled operations      │
└─────────────────────────────────┴───────────────────────────────┘

Common Workflow Integration:
──────────────────────────

1️⃣ Planning Phase:
   📱 Storage Explorer: Browse and understand data structure
   
2️⃣ Development Phase:
   💻 AzCopy: Script bulk operations and test performance
   
3️⃣ Production Phase:
   💻 AzCopy: Execute automated data transfers
   📱 Storage Explorer: Monitor results and troubleshoot

Example Operations:
─────────────────

Storage Explorer Tasks:
• Browse blob containers and file shares
• Upload files via drag-and-drop
• Set container public access levels
• Generate SAS tokens for specific resources
• View and edit blob metadata and properties

AzCopy Tasks:
• Sync entire directories to blob storage
• Copy data between storage accounts
• Perform pattern-based bulk operations
• Transfer large files with resume capability
• Integrate with automated backup systems

Best Practices:
──────────────
✅ Use Storage Explorer for exploration and small tasks
✅ Use AzCopy for bulk operations and automation
✅ Combine both tools for comprehensive storage management
✅ Leverage AzCopy's performance for large data transfers
✅ Use Storage Explorer's GUI for training and troubleshooting

Study this concept interactively in the AZ-104 app →

AzCopy Command-Line Data Transfer Tool

Explanation

📚 Explanation: AzCopy is a command-line utility for copying data to and from Azure Storage. It provides high-performance, resumable transfers with extensive automation capabilities for blob, file, and table storage operations.

Examples

💡 Examples: Bulk upload local files to blob storage, sync directories with cloud storage, copy data between storage accounts, migrate data from other cloud providers, automate backup operations.

Enterprise Use Case

🏢 Use Case: Organizations use AzCopy for large-scale data migrations, automated backup scripts, CI/CD pipeline integrations, disaster recovery scenarios, and high-performance data synchronization.

Diagram

🎨 Visual: AzCopy Data Transfer Operations:

┌─────────────────────────────────────────────────────────────────┐
│                    ⚡ AZCOPY ARCHITECTURE                       │
└─────────────────────────────────────────────────────────────────┘

🖥️ Local System                    ☁️ Azure Storage
─────────────────                  ──────────────

┌─────────────────┐                ┌─────────────────────────┐
│ 📁 Local Files  │                │ 🧊 Blob Storage         │
│ ├─ documents/   │    ⚡ AzCopy    │ ├─ container1/          │
│ ├─ images/      │ ═══════════════►│ ├─ container2/          │
│ └─ backups/     │                │ └─ archive/             │
└─────────────────┘                └─────────────────────────┘
                                   
                                   ┌─────────────────────────┐
                                   │ 📁 File Storage         │
                                   │ ├─ share1/              │
                                   │ ├─ share2/              │
                                   │ └─ backup-share/        │
                                   └─────────────────────────┘

Common AzCopy Commands:
─────────────────────

📤 Upload Operations:
# Upload single file
azcopy copy "C:\local\file.txt" \
  "https://account.blob.core.windows.net/container/file.txt?<SAS>"

# Upload entire directory
azcopy copy "C:\localfolder" \
  "https://account.blob.core.windows.net/container?<SAS>" \
  --recursive=true

# Upload with pattern matching
azcopy copy "C:\data\*.log" \
  "https://account.blob.core.windows.net/logs?<SAS>"

📥 Download Operations:
# Download single file
azcopy copy \
  "https://account.blob.core.windows.net/container/file.txt?<SAS>" \
  "C:\downloads\file.txt"

# Download entire container
azcopy copy \
  "https://account.blob.core.windows.net/container?<SAS>" \
  "C:\downloads" --recursive=true

🔄 Sync Operations:
# Sync local directory with container
azcopy sync "C:\localfolder" \
  "https://account.blob.core.windows.net/container?<SAS>" \
  --recursive=true --delete-destination=true

# Sync between storage accounts
azcopy sync \
  "https://source.blob.core.windows.net/container?<SAS>" \
  "https://dest.blob.core.windows.net/container?<SAS>" \
  --recursive=true

Advanced Features:
────────────────

🔧 Performance Optimization:
# High concurrency for large transfers
azcopy copy "C:\bigdata" \
  "https://account.blob.core.windows.net/container?<SAS>" \
  --recursive=true --cap-mbps 1000

# Resume interrupted transfers
azcopy jobs resume <job-id>

# List active jobs
azcopy jobs list

📋 Logging and Monitoring:
# Enable detailed logging
azcopy copy "source" "destination" \
  --log-level=DEBUG \
  --output-type=json

# Check transfer statistics
azcopy jobs show <job-id>

🎯 Pattern-Based Operations:
# Include specific patterns
azcopy copy "C:\data" \
  "https://account.blob.core.windows.net/container?<SAS>" \
  --include-pattern="*.jpg;*.png" \
  --recursive=true

# Exclude patterns
azcopy copy "C:\data" \
  "https://account.blob.core.windows.net/container?<SAS>" \
  --exclude-pattern="*.tmp;*.log" \
  --recursive=true

Authentication Methods:
─────────────────────

🔐 SAS Token (Recommended):
azcopy copy "source" \
  "https://account.blob.core.windows.net/container?<SAS-token>"

🗝️ Storage Account Key:
set AZURE_STORAGE_ACCOUNT=mystorageaccount
set AZURE_STORAGE_KEY=<account-key>
azcopy copy "source" "https://mystorageaccount.blob.core.windows.net/container"

🎫 Azure AD Authentication:
azcopy login
azcopy copy "source" \
  "https://account.blob.core.windows.net/container"

Performance Benefits:
───────────────────
🚀 Parallel transfer operations
⏸️ Automatic retry and resume
📊 Progress monitoring and reporting
🎯 Optimized for large file transfers
💾 Memory-efficient for huge datasets
🔄 Incremental sync capabilities

Best Practices:
──────────────
✅ Use SAS tokens for secure, limited-time access
✅ Enable logging for troubleshooting large transfers
✅ Test with small datasets before bulk operations
✅ Monitor bandwidth usage in production environments
✅ Use sync for ongoing data synchronization needs
✅ Leverage pattern matching for selective transfers

Study this concept interactively in the AZ-104 app →

Create and Configure Blob Container

Explanation

📚 Explanation: Blob containers organize and secure blob data within Azure Storage accounts. Each container acts as a folder-like structure with configurable access policies, metadata, and lifecycle management settings.

Examples

💡 Examples: Create containers for different applications, organize data by environment (dev/prod), set up public containers for static websites, configure private containers for sensitive data.

Enterprise Use Case

🏢 Use Case: Organizations use blob containers to organize data logically, apply security policies, enable public web hosting, implement data lifecycle management, and control access to different data sets.

Diagram

🎨 Visual: Blob Container Creation and Management:

┌─────────────────────────────────────────────────────────────────┐
│                💾 AZURE STORAGE ACCOUNT                        │
│                  (mystorageaccount)                             │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                  📦 BLOB CONTAINERS                             │
│                                                                 │
│ 🌐 website-assets (Public Blob Access)                         │
│ ├── 🖼️ logo.png                                                │
│ ├── 🎨 styles.css                                               │
│ └── 📄 index.html                                               │
│                                                                 │
│ 🔒 user-data (Private Access)                                   │
│ ├── 👤 profiles/                                                │
│ ├── 📊 reports/                                                 │
│ └── 💾 backups/                                                 │
│                                                                 │
│ 📚 documents (Container-level Public Access)                    │
│ ├── 📋 policies/                                                │
│ ├── 📖 manuals/                                                 │
│ └── 🎯 templates/                                               │
└─────────────────────────────────────────────────────────────────┘

Container Creation Methods:
─────────────────────────

🖥️ Azure Portal:
Storage Account → Containers → + Container
┌─────────────────────────────────────────────────────────────┐
│ Container Name: [website-assets]                           │
│ Public Access Level:                                        │
│ ○ Private (no anonymous access)                            │
│ ○ Blob (anonymous read access for blobs only)              │
│ ● Container (anonymous read access for container and blobs) │
│                                                             │
│ Advanced Settings:                                          │
│ ☑ Enable versioning                                        │
│ ☑ Enable soft delete (7 days)                              │
│ [Create]                                                    │
└─────────────────────────────────────────────────────────────┘

💻 Azure CLI:
# Create private container
az storage container create \
  --name private-data \
  --account-name mystorageaccount \
  --public-access off \
  --auth-mode login

# Create public blob access container
az storage container create \
  --name website-assets \
  --account-name mystorageaccount \
  --public-access blob \
  --auth-mode login

# Create with metadata
az storage container create \
  --name application-logs \
  --account-name mystorageaccount \
  --metadata "environment=production" "department=engineering" \
  --auth-mode login

⚡ PowerShell:
# Get storage context
$ctx = New-AzStorageContext \
  -StorageAccountName "mystorageaccount" \
  -UseConnectedAccount

# Create container with properties
New-AzStorageContainer \
  -Name "user-uploads" \
  -Context $ctx \
  -Permission Off \
  -Metadata @{
    "created" = (Get-Date).ToString()
    "purpose" = "user-file-storage"
    "retention" = "30days"
  }

Access Level Configuration:
─────────────────────────

🔒 Private (No Anonymous Access):
┌─────────────────────────────────────────────────────────────┐
│ • 🔐 Requires authentication for all access                 │
│ • 🎫 SAS tokens, storage keys, or Azure AD required         │
│ • ✅ Maximum security for sensitive data                    │
│ • 🎯 Use for: User data, internal documents, backups       │
└─────────────────────────────────────────────────────────────┘

📖 Blob (Anonymous Read for Blobs Only):
┌─────────────────────────────────────────────────────────────┐
│ • 🌐 Direct blob access via URL (no container listing)     │
│ • ✅ Good for: CDN content, public images, downloadable files│
│ • 🔒 Container contents remain private                       │
│ • 📝 Example: https://account.blob.core.windows.net/container/file.jpg│
└─────────────────────────────────────────────────────────────┘

📂 Container (Anonymous Read for Container and Blobs):
┌─────────────────────────────────────────────────────────────┐
│ • 🌍 Full public access to container and all blobs         │
│ • 📋 Can list all container contents                        │
│ • ⚠️ Use with caution - highest exposure                    │
│ • 🎯 Use for: Public file repositories, static websites     │
└─────────────────────────────────────────────────────────────┘

Container Management Operations:
──────────────────────────────

📝 Update Container Properties:
# Change access level
az storage container set-permission \
  --name website-assets \
  --account-name mystorageaccount \
  --public-access blob \
  --auth-mode login

# Update metadata
az storage container metadata update \
  --name application-logs \
  --account-name mystorageaccount \
  --metadata "updated=2024-01-15" "version=2.0" \
  --auth-mode login

🗑️ Container Lifecycle:
# Enable soft delete for containers
az storage account blob-service-properties update \
  --account-name mystorageaccount \
  --enable-container-delete-retention true \
  --container-delete-retention-days 7

# List containers with properties
az storage container list \
  --account-name mystorageaccount \
  --include-metadata \
  --auth-mode login

🏷️ Container Organization Best Practices:
────────────────────────────────────────

Naming Conventions:
• Use lowercase letters, numbers, hyphens only
• Start/end with alphanumeric characters
• Length: 3-63 characters
• Examples: "user-profiles", "app-logs-2024", "static-assets"

Security Practices:
• 🔒 Default to private access
• 🎫 Use SAS tokens for temporary public access
• 🔐 Regular access review and cleanup
• 📋 Document container purposes and access patterns

Organization Strategies:
• 🎯 Group by application or service
• 📅 Separate by environment (dev/staging/prod)
• 🗓️ Consider data lifecycle and retention needs
• 💰 Optimize for cost with appropriate access tiers

Study this concept interactively in the AZ-104 app →

Configure Azure Storage Tiers

Explanation

📚 Explanation: Azure Storage offers multiple access tiers (Hot, Cool, Archive) to optimize costs based on data access patterns. Hot tier for frequently accessed data, Cool for infrequently accessed data stored for at least 30 days, and Archive for rarely accessed data stored for at least 180 days.

Examples

💡 Examples: Setting Hot tier for active databases, Cool tier for monthly reports, Archive tier for annual backups, using lifecycle policies to automatically move data between tiers based on age.

Enterprise Use Case

🏢 Use Case: Organizations use storage tiers to significantly reduce storage costs, automatically manage data lifecycle, comply with retention policies, and optimize performance for different access patterns.

Diagram

🎨 Visual: Azure Storage Tier Optimization:

┌─────────────────────────────────────────────────────────────────┐
│                  🌡️ STORAGE TIER STRATEGY                      │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                     🔥 HOT TIER                                 │
│  💰 Higher storage cost, Lower access cost                     │
│  ⚡ Immediate access, High performance                          │
│  📊 Use Case: Active databases, frequently used files          │
│                                                                 │
│  Examples:                                                      │
│  • 📄 Current application logs                                 │
│  • 🗃️ Active user data                                         │
│  • 🎵 Streaming media files                                    │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                     ❄️ COOL TIER                               │
│  💰 Lower storage cost, Higher access cost                     │
│  ⏰ Min 30 days, Slightly higher latency                       │
│  📊 Use Case: Monthly reports, backup data                     │
│                                                                 │
│  Examples:                                                      │
│  • 📋 Monthly financial reports                                │
│  • 🗂️ Project documentation archives                          │
│  • 📸 Photo collections                                        │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                   🗄️ ARCHIVE TIER                             │
│  💰 Lowest storage cost, Highest access cost                   │
│  ⏳ Min 180 days, Rehydration required (hours)                 │
│  📊 Use Case: Long-term compliance, disaster recovery          │
│                                                                 │
│  Examples:                                                      │
│  • 📚 Legal compliance documents                               │
│  • 💾 Annual system backups                                    │
│  • 🎬 Video archive collections                                │
└─────────────────────────────────────────────────────────────────┘

🔄 Lifecycle Management Automation:
═══════════════════════════════════════

Policy Configuration:
{
  "rules": [
    {
      "name": "MoveToCool",
      "type": "Lifecycle",
      "definition": {
        "filters": {
          "blobTypes": ["blockBlob"],
          "prefixMatch": ["logs/"]
        },
        "actions": {
          "baseBlob": {
            "tierToCool": {
              "daysAfterModificationGreaterThan": 30
            },
            "tierToArchive": {
              "daysAfterModificationGreaterThan": 180
            }
          }
        }
      }
    }
  ]
}

📋 CLI Commands for Tier Management:
──────────────────────────────────────

# Set blob tier manually
az storage blob set-tier \
  --account-name mystorageaccount \
  --container-name documents \
  --name report.pdf \
  --tier Cool \
  --auth-mode login

# Create lifecycle policy
az storage account management-policy create \
  --account-name mystorageaccount \
  --policy @lifecycle-policy.json

# Check blob tier and last modified
az storage blob show \
  --account-name mystorageaccount \
  --container-name documents \
  --name report.pdf \
  --query '{tier:properties.blobTier, lastModified:properties.lastModified}' \
  --auth-mode login

💡 Cost Optimization Best Practices:
──────────────────────────────────────

Tier Selection Strategy:
• 🔥 Hot: Data accessed multiple times per month
• ❄️ Cool: Data accessed 1-2 times per month
• 🗄️ Archive: Data accessed less than once per year

Automation Recommendations:
• 📅 Set up lifecycle policies for automatic tier transitions
• 🔍 Monitor access patterns using Azure Monitor
• 💰 Review cost analysis reports monthly
• ⚖️ Balance storage costs vs. access costs based on usage patterns

Study this concept interactively in the AZ-104 app →

Implement Data Protection for Azure Storage

Explanation

📚 Explanation: Data protection involves backup strategies, disaster recovery planning, geo-replication, versioning, and compliance measures. Azure provides multiple layers including Azure Backup, Site Recovery, built-in redundancy options, and advanced security features.

Examples

💡 Examples: Setting up Azure Backup for VMs, configuring geo-redundant storage, implementing blob versioning, enabling soft delete, creating disaster recovery plans with Site Recovery.

Enterprise Use Case

🏢 Use Case: Organizations implement data protection to ensure business continuity, meet compliance requirements, protect against data loss, recover from disasters, and maintain data integrity across multiple regions.

Diagram

🎨 Visual: Comprehensive Data Protection Strategy:

┌─────────────────────────────────────────────────────────────────┐
│                   🛡️ DATA PROTECTION LAYERS                   │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                     💾 AZURE BACKUP                            │
│  🎯 Purpose: Application-consistent backups                    │
│  📅 Frequency: Daily, Weekly, Monthly, Yearly                  │
│  ⏰ Retention: Up to 99 years                                  │
│                                                                 │
│  Backup Types:                                                  │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 🖥️ Virtual Machine Backup                              │   │
│  │ 📁 Azure Files Backup                                  │   │
│  │ 🗃️ SQL Database Backup                                 │   │
│  │ 📊 Azure Database Backup                               │   │
│  └─────────────────────────────────────────────────────────┘   │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                🌍 GEO-REDUNDANCY PROTECTION                    │
│                                                                 │
│  Storage Redundancy Options:                                   │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 🏢 LRS: Locally Redundant (3 copies same datacenter)   │   │
│  │ 🏗️ ZRS: Zone Redundant (3 AZs same region)           │   │
│  │ 🌎 GRS: Geo Redundant (2 regions, 6 copies)          │   │
│  │ 📖 RA-GRS: Read-Access Geo Redundant                  │   │
│  │ 🌍 GZRS: Geo-Zone Redundant (Premium protection)      │   │
│  └─────────────────────────────────────────────────────────┘   │
│                                                                 │
│  Cross-Region Replication:                                     │
│  [Primary Region] ──────────────► [Secondary Region]           │
│      East US                          West US                  │
│   (Read + Write)                   (Read Only*)                │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│               🔄 VERSIONING & SOFT DELETE                      │
│                                                                 │
│  Blob Versioning:                                              │
│  📄 document.pdf (v1) ← Original                               │
│  📄 document.pdf (v2) ← Modified                               │
│  📄 document.pdf (v3) ← Latest                                 │
│                                                                 │
│  Soft Delete Protection:                                       │
│  🗑️ Deleted Data ──── 7-365 days ────► 🔄 Recoverable        │
│                                                                 │
│  Point-in-Time Restore:                                        │
│  ⏰ Restore entire storage account to specific timestamp        │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                🚑 DISASTER RECOVERY (ASR)                      │
│                                                                 │
│  Azure Site Recovery Workflow:                                 │
│  ┌─────────────────┐    ┌─────────────────┐                   │
│  │ 🏢 Primary Site │────│ 🏥 Recovery Site│                   │
│  │                 │    │                 │                   │
│  │ • Production VMs│────│ • Standby VMs   │                   │
│  │ • Applications  │    │ • Replicated    │                   │
│  │ • Data         │    │   Data          │                   │
│  └─────────────────┘    └─────────────────┘                   │
│           │                       │                           │
│           ▼                       ▼                           │
│    Normal Operations      Disaster Recovery                   │
│    (RTO: minutes)        (RTO: hours)                        │
└─────────────────────────────────────────────────────────────────┘

🛠️ Implementation Commands:
══════════════════════════════

Recovery Services Vault Setup:
# Create Recovery Services Vault
az backup vault create \
  --resource-group myRG \
  --name myBackupVault \
  --location "East US"

# Enable backup for VM
az backup protection enable-for-vm \
  --resource-group myRG \
  --vault-name myBackupVault \
  --vm myVM \
  --policy-name DefaultPolicy

Storage Protection Configuration:
# Enable blob versioning
az storage account blob-service-properties update \
  --account-name mystorageaccount \
  --enable-versioning true

# Configure soft delete
az storage account blob-service-properties update \
  --account-name mystorageaccount \
  --enable-delete-retention true \
  --delete-retention-days 30

# Set up point-in-time restore
az storage account blob-service-properties update \
  --account-name mystorageaccount \
  --enable-restore-policy true \
  --restore-days 14

🎯 Protection Strategy Matrix:
════════════════════════════════

Data Criticality vs. Protection Level:
┌─────────────────┬─────────────────┬─────────────────┐
│   CRITICALITY   │   BACKUP FREQ   │   REDUNDANCY    │
├─────────────────┼─────────────────┼─────────────────┤
│ 🔴 Mission Crit │ Continuous      │ GZRS + ASR      │
│ 🟡 Business Imp │ Daily           │ GRS + Backup    │
│ 🟢 Standard     │ Weekly          │ ZRS + Snapshots │
│ ⚪ Archive      │ Monthly         │ LRS + Lifecycle │
└─────────────────┴─────────────────┴─────────────────┘

🚨 Disaster Recovery Planning:
═══════════════════════════════════

Recovery Objectives:
• 🎯 RTO (Recovery Time): How fast to restore
• 📊 RPO (Recovery Point): Max acceptable data loss
• 🏢 Business Impact: Cost of downtime
• 🔄 Testing: Regular DR drills and validation

Study this concept interactively in the AZ-104 app →

Customer-Managed Keys (CMK) for Storage Encryption

Explanation

📚 Explanation: Customer-Managed Keys allow organizations to control encryption keys using Azure Key Vault. This provides additional control over key lifecycle, compliance, and security policies compared to Microsoft-managed keys.

Examples

💡 Examples: Using company-controlled keys from Key Vault, rotating encryption keys on custom schedule, meeting regulatory requirements for key management, implementing defense-in-depth encryption strategies.

Enterprise Use Case

🏢 Use Case: Organizations use CMK for regulatory compliance (FIPS 140-2, Common Criteria), corporate security policies requiring key ownership, audit requirements, and when implementing zero-trust architectures.

Diagram

🎨 Visual: Customer-Managed Keys Architecture:

┌─────────────────────────────────────────────────────────────────┐
│              🔐 CUSTOMER-MANAGED KEYS (CMK)                    │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                 🏦 AZURE KEY VAULT                             │
│  🔑 Customer-Controlled Encryption Keys                        │
│                                                                 │
│  Key Management:                                               │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 🔒 Create: Generate new encryption keys                │   │
│  │ 🔄 Rotate: Automatic or manual key rotation            │   │
│  │ 🗑️ Delete: Secure key destruction                     │   │
│  │ 📋 Audit: Track all key operations                     │   │
│  │ 🎯 Access: Control who can use keys                    │   │
│  └─────────────────────────────────────────────────────────┘   │
└─────────────────┬───────────────────────────────────────────────┘
                  │
                  ▼
┌─────────────────────────────────────────────────────────────────┐
│                💾 AZURE STORAGE ACCOUNT                       │
│            (Encrypted with Customer Keys)                      │
│                                                                 │
│  Storage Services:                                             │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ 📦 Blob Storage    ←────── CMK Encrypted                │   │
│  │ 📁 File Storage    ←────── CMK Encrypted                │   │
│  │ 📊 Table Storage   ←────── CMK Encrypted                │   │
│  │ 📋 Queue Storage   ←────── CMK Encrypted                │   │
│  └─────────────────────────────────────────────────────────┘   │
│                                                                 │
│  Encryption Process:                                           │
│  1️⃣ Data written to storage                                    │
│  2️⃣ Storage service requests encryption key from Key Vault     │
│  3️⃣ Key Vault validates permissions and provides key           │
│  4️⃣ Data encrypted with customer key before storage           │
└─────────────────────────────────────────────────────────────────┘

🛠️ CMK Implementation Commands:
══════════════════════════════════════

# Create Key Vault and key
az keyvault create \
  --name myKeyVault \
  --resource-group myRG \
  --location "East US" \
  --enabled-for-disk-encryption

# Create encryption key
az keyvault key create \
  --vault-name myKeyVault \
  --name storageKey \
  --protection software

# Configure storage account with CMK
az storage account update \
  --name mystorageaccount \
  --resource-group myRG \
  --encryption-key-name storageKey \
  --encryption-key-vault https://myKeyVault.vault.azure.net/

# Verify CMK configuration
az storage account show \
  --name mystorageaccount \
  --resource-group myRG \
  --query encryption.services

🔐 Security Benefits:
═══════════════════════

Control Advantages:
• 🎯 Customer owns and controls encryption keys
• 🔄 Flexible key rotation policies  
• 🗑️ Ability to revoke access instantly
• 📋 Complete audit trail of key usage
• 🛡️ Defense against Microsoft access

Compliance Benefits:
• ✅ FIPS 140-2 Level 2 validated HSMs
• ✅ Common Criteria EAL4+ certification  
• ✅ SOC 2 Type II compliance
• ✅ ISO 27001 certification
• ✅ Regional data sovereignty requirements

⚠️ Important Considerations:
═══════════════════════════════

Key Management:
• 🔑 Key unavailability = data unavailability
• 💰 Additional cost for Key Vault operations
• 🔄 Must plan key rotation strategy
• 🚨 Backup and disaster recovery for keys
• 👥 Proper RBAC for key access

Performance Impact:
• ⏱️ Slight latency increase for key operations
• 🔄 Key Vault throttling limits
• 🌐 Cross-region considerations for key access

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via Azure Portal

Explanation

📚 Explanation: Azure Portal provides a user-friendly wizard interface for creating storage accounts with guided configuration. It offers visual feedback, validation, and helps users understand different storage options through an intuitive graphical interface.

Examples

💡 Examples: Using the storage account creation wizard, selecting performance tiers visually, configuring redundancy options through dropdown menus, setting up network access restrictions via the GUI.

Enterprise Use Case

🏢 Use Case: Organizations use Portal for initial learning, one-off account creation, testing configurations, and when visual guidance is preferred over command-line interfaces.

Diagram

🎨 Visual: Azure Portal Storage Account Creation:

📋 Creation Wizard Steps:
1️⃣ Basics: Name, Resource Group, Region, Performance, Redundancy
2️⃣ Advanced: Security, Access Tier, Blob Settings  
3️⃣ Networking: Connectivity, Routing
4️⃣ Data Protection: Backup, Recovery
5️⃣ Encryption: Keys, Scope
6️⃣ Tags: Metadata
7️⃣ Review + Create

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via Azure CLI

Explanation

📚 Explanation: Azure CLI provides command-line interface for creating storage accounts using "az storage account create" commands. It offers scriptable, repeatable, and automatable storage account deployment with precise parameter control.

Examples

💡 Examples: Creating storage accounts in CI/CD pipelines, bulk account creation with scripts, Infrastructure as Code implementations, automated environment provisioning.

Enterprise Use Case

🏢 Use Case: DevOps teams use CLI for automation, Infrastructure as Code, CI/CD pipelines, scripted deployments, and when consistent, repeatable configurations are required.

Diagram

🎨 Visual: Azure CLI Storage Creation:

# Basic creation command
az storage account create \
  --name mystorageaccount \
  --resource-group myRG \
  --location "East US" \
  --sku Standard_LRS \
  --kind StorageV2

Study this concept interactively in the AZ-104 app →

Create Storage Accounts via PowerShell

Explanation

📚 Explanation: Azure PowerShell provides object-oriented cmdlets for creating storage accounts using New-AzStorageAccount. It offers rich scripting capabilities, Windows integration, and comprehensive parameter handling with pipeline support.

Examples

💡 Examples: Enterprise automation scripts, Windows-based deployment tools, integration with existing PowerShell infrastructure, complex provisioning scenarios with error handling.

Enterprise Use Case

🏢 Use Case: Windows-centric organizations use PowerShell for enterprise automation, integration with existing Windows infrastructure, advanced scripting scenarios, and when object-oriented approach is preferred.

Diagram

🎨 Visual: PowerShell Storage Creation:

# Create storage account with PowerShell
New-AzStorageAccount \
  -ResourceGroupName "myRG" \
  -AccountName "mystorageaccount" \
  -Location "East US" \
  -SkuName "Standard_LRS" \
  -Kind "StorageV2"

Study this concept interactively in the AZ-104 app →

Azure Import/Export Service

Explanation

📚 Explanation: Azure Import/Export service enables secure transfer of large amounts of data to and from Azure Blob storage using physical disk drives. It provides offline data transfer capabilities when network transfer is impractical.

Examples

💡 Examples: Migrating terabytes of data to Azure, initial cloud seeding, disaster recovery scenarios, transferring data from remote locations with limited bandwidth.

Enterprise Use Case

🏢 Use Case: Organizations use Import/Export for large-scale data migrations, when network transfer would be too slow or expensive, or when bandwidth limitations prevent online transfer.

Diagram

🎨 Visual: Import/Export Process:

📦 EXPORT Process:
1️⃣ Create export job in Azure
2️⃣ Microsoft ships drives to you
3️⃣ Data copied from Azure to drives
4️⃣ Drives shipped back to you

📥 IMPORT Process:  
1️⃣ Prepare drives with your data
2️⃣ Create import job in Azure
3️⃣ Ship drives to Microsoft
4️⃣ Data transferred to your storage account

Study this concept interactively in the AZ-104 app →

IP Addressing and Network Configuration

Explanation

Azure uses both public and private IP addresses for resource communication. Private IPs enable internal communication within VNets, while public IPs allow internet connectivity. Network routes define traffic paths, and NICs connect VMs to networks.

Examples

Assigning static private IPs to domain controllers, configuring public IPs for web servers, setting up multiple NICs for network appliances, creating custom routing tables for traffic control.

Enterprise Use Case

IT teams configure IP addressing to ensure proper network communication, implement security through network segmentation, and optimize traffic flow for performance and compliance.

Diagram

IP Address Configuration:
Internet ← [Public IP] ← [Load Balancer] ← [VNet]
                                             ↓
                           [Private IP Range: 10.0.0.0/16]
                                             ↓
                            [VM1: 10.0.1.4] [VM2: 10.0.1.5]

Study this concept interactively in the AZ-104 app →

IP Address Management

Explanation

Azure IP address management involves planning, allocation, and monitoring of both public and private IP addresses. Proper IP management ensures efficient utilization, prevents conflicts, and supports network scalability and security requirements.

Examples

Creating IP address pools for different environments, reserving static IPs for critical resources, implementing IPAM solutions, managing IP address lifecycle from allocation to deallocation.

Enterprise Use Case

Organizations use IP address management to prevent address conflicts, ensure compliance with network policies, optimize address utilization, and maintain network documentation for auditing.

Diagram

IP Address Management:
┌─────────────────────────────────────┐
│         IP Address Pool             │
├─────────────────────────────────────┤
│ Public IPs:  40.112.x.x/24         │
│ Private IPs: 10.0.0.0/16           │
│ Reserved:    10.0.255.0/24         │
│ Available:   10.0.1.0-10.0.254.0   │
└─────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Public IP Addresses

Explanation

Public IP addresses enable Azure resources to communicate with the internet and other Azure services. They can be static or dynamic, support IPv4/IPv6, and are associated with resources like VMs, load balancers, and application gateways.

Examples

Assigning static public IPs to web servers, configuring dynamic IPs for development environments, reserving IP addresses for DNS records, implementing IPv6 for modern applications.

Enterprise Use Case

Organizations use public IPs to expose applications to the internet, enable remote access to resources, support email servers and web services, and maintain consistent external connectivity.

Diagram

Public IP Configuration:
Internet
    ↓
[Public IP: 40.112.48.5]
    ↓
[Network Interface]
    ↓
[Virtual Machine]

Study this concept interactively in the AZ-104 app →

Private IP Addresses

Explanation

Private IP addresses provide internal communication within virtual networks using RFC 1918 address spaces. They can be dynamically assigned by DHCP or statically configured, enabling secure communication between Azure resources.

Examples

Configuring static private IPs for domain controllers, using dynamic assignment for web servers, implementing IP reservations for database servers, setting up multi-NIC configurations.

Enterprise Use Case

IT teams use private IPs for internal application communication, database connectivity, domain services, and creating secure network segments isolated from the internet.

Diagram

Private IP Allocation:
┌─────────────────────────────────┐
│      Virtual Network           │
│    Address: 10.0.0.0/16        │
├─────────────────────────────────┤
│  VM1: 10.0.1.4 (Static)        │
│  VM2: 10.0.1.5 (Dynamic)       │
│  DB:  10.0.2.10 (Static)       │
└─────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Multiple Network Interfaces

Explanation

Azure VMs can have multiple network interface cards (NICs) attached, enabling connection to different subnets or VNets. This supports network appliance scenarios, traffic segmentation, and high-availability configurations.

Examples

Creating firewall VMs with management and data NICs, separating frontend and backend traffic, implementing network appliances, configuring multi-homed servers.

Enterprise Use Case

Organizations use multiple NICs for network security appliances, traffic isolation, compliance requirements, and creating dedicated management networks separate from production traffic.

Diagram

Multiple NIC Configuration:
┌─────────────┐    ┌──────────────┐
│   Subnet A  │────│    NIC 1     │
└─────────────┘    │              │
                   │      VM      │
┌─────────────┐    │              │
│   Subnet B  │────│    NIC 2     │
└─────────────┘    └──────────────┘

Study this concept interactively in the AZ-104 app →

Virtual Network Peering

Explanation

VNet peering connects two virtual networks enabling seamless communication between resources as if they were in the same network. It supports both regional and global peering with low latency and high bandwidth connections.

Examples

Connecting production and development VNets, implementing hub-spoke architectures, enabling cross-region connectivity, creating shared services networks.

Enterprise Use Case

Organizations use VNet peering for network consolidation, shared services access, disaster recovery scenarios, and creating scalable network topologies without complexity of gateways.

Diagram

Virtual Network Peering - Hub-Spoke & Global Connectivity Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                         🏗️ HUB-SPOKE NETWORK TOPOLOGY                                │
└═══════════════════════════════════════════════════════════════════════════════════════┘

                           🔗 Regional Peering (Same Region)
                           ═══════════════════════════════════
                                        
                    ┌─────────────────────────────────────────┐
                    │        🏢 HUB VNET (Central)           │
                    │      Network: 10.0.0.0/16              │
                    │  ┌─────────────────────────────────────┐│
                    │  │    🛡️ Shared Services Subnet       ││
                    │  │  • Azure Firewall (10.0.1.0/24)   ││
                    │  │  • VPN Gateway (10.0.2.0/27)      ││
                    │  │  • Bastion Host (10.0.3.0/27)     ││
                    │  │  • DNS Forwarder (10.0.4.0/24)    ││
                    │  └─────────────────────────────────────┘│
                    └─────────────────────┬───────────────────┘
                                         │
                    ┌────────────────────────────────────────┐
                    │              🌟 PEERING HUB             │
                    │         (Transitive Gateway)           │
                    └────────────────────┬───────────────────┘
                                         │
      ┌─────────────────────────────────────┼─────────────────────────────────────┐
      │                                     │                                     │
      ▼                                     ▼                                     ▼
┌─────────────┐                     ┌─────────────┐                     ┌─────────────┐
│ 🏭 PROD VNET │                     │ 🔧 DEV VNET │                     │ 🧪 TEST VNET│
│10.1.0.0/16  │                     │10.2.0.0/16  │                     │10.3.0.0/16  │
├─────────────┤                     ├─────────────┤                     ├─────────────┤
│             │                     │             │                     │             │
│Web Subnet:  │◄────peering────────►│Web Subnet:  │◄────peering────────►│Web Subnet:  │
│10.1.1.0/24  │     (blocked)       │10.2.1.0/24  │     (blocked)       │10.3.1.0/24  │
│             │                     │             │                     │             │
│App Subnet:  │  ✅ Hub Services     │App Subnet:  │  ✅ Hub Services     │App Subnet:  │
│10.1.2.0/24  │  ❌ Direct Spoke     │10.2.2.0/24  │  ❌ Direct Spoke     │10.3.2.0/24  │
│             │                     │             │                     │             │
│DB Subnet:   │  🔄 Transit via Hub │DB Subnet:   │  🔄 Transit via Hub │DB Subnet:   │
│10.1.3.0/24  │                     │10.2.3.0/24  │                     │10.3.3.0/24  │
└─────────────┘                     └─────────────┘                     └─────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                         🌍 GLOBAL PEERING & CROSS-REGION CONNECTIVITY                │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ East US Region                          🌐 Global Peering                West Europe │
│ ═══════════════                        ═══════════════════                ══════════ │
│                                                                                       │
│ ┌─────────────────────────────────┐    Encrypted over Microsoft    ┌─────────────────┐ │
│ │    🏢 Primary Hub VNet          │◄───── Backbone Network ──────►│  🏢 DR Hub VNet │ │
│ │    Network: 10.0.0.0/16         │                                │  Network:       │ │
│ │                                 │    High Bandwidth              │  172.16.0.0/16  │ │
│ │ Services:                       │    Low Latency                 │                 │ │
│ │ • Production Applications       │    No Internet Transit         │ Services:       │ │
│ │ • Primary Database             │                                │ • DR Applications│ │
│ │ • Active Directory             │    💰 Cross-region charges     │ • Backup DB     │ │
│ │ • Monitoring & Logging         │       apply for data transfer  │ • Replica AD    │ │
│ └─────────────────────────────────┘                                └─────────────────┘ │
│                                                                                       │
│ Connected Spoke VNets:                                             Connected Spokes:  │
│ • Production (10.1.0.0/16)                                        • DR-Prod (172.17) │ │
│ • Development (10.2.0.0/16)                                       • DR-Test (172.18) │ │
│ • Management (10.3.0.0/16)                                        • Backup (172.19)  │ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            📊 PEERING CONFIGURATION MATRIX                            │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Feature                      │ Regional Peering       │ Global Peering              │ │
│ ══════════════════════════  │ ═══════════════════   │ ══════════════════════════  │ │
│ 🌐 Scope                    │ Same Azure region      │ Different Azure regions     │ │
│ 💰 Cost                     │ No ingress charges     │ Outbound data charges apply │ │
│ ⚡ Latency                  │ <1ms typical          │ Region-dependent (<100ms)   │ │
│ 🔒 Security                 │ Microsoft backbone     │ Microsoft backbone          │ │
│ 🔄 Transitivity             │ Not supported          │ Not supported               │ │
│ 🎛️ Gateway Transit          │ ✅ Supported           │ ✅ Supported                │ │
│ 🌍 Address Space Overlap    │ ❌ Not allowed         │ ❌ Not allowed              │ │
│ 📊 Bandwidth Limit          │ None                   │ None                        │ │
│                                                                                       │
│ Traffic Flow Control         │ Configuration Options                                │ │
│ ══════════════════════      │ ═══════════════════════                              │ │
│                              │                                                      │ │
│ 🔀 Allow Virtual Network    │ ✅ Forward traffic from remote virtual network       │ │
│    Access                   │ ❌ Block traffic from remote virtual network         │ │
│                              │                                                      │ │
│ 🚪 Allow Gateway Transit    │ ✅ Allow remote VNet to use local VNet gateway      │ │
│                              │ ❌ Block gateway transit                             │ │
│                              │                                                      │ │
│ 🌐 Use Remote Gateway       │ ✅ Use the remote virtual network's gateway         │ │
│                              │ ❌ Use local gateway or no gateway                   │ │
│                              │                                                      │ │
│ 🔄 Allow Forwarded Traffic  │ ✅ Accept traffic forwarded by NVA/Firewall         │ │
│                              │ ❌ Only accept traffic originating from VNet        │ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                        🚀 TRAFFIC FLOW & ROUTING SCENARIOS                           │ 
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Scenario 1: Hub-Spoke Communication with Gateway Transit                             │
│ ═══════════════════════════════════════════════════                                  │
│                                                                                       │
│ 🏭 Spoke VNet (Prod)        🏢 Hub VNet                    🌐 On-Premises             │
│ ┌─────────────────┐        ┌─────────────────┐           ┌─────────────────┐         │
│ │ VM-Web          │────────▶│ VPN Gateway     │◄──────────│ Corporate DC    │         │
│ │ 10.1.1.10      │        │ 10.0.2.4        │           │ 192.168.0.0/16  │         │
│ │                 │        │                 │           │                 │         │
│ │ Route Table:    │        │ UDR: 192.168/16 │           │ Route: 10.0/8   │         │
│ │ 192.168/16 →   │        │ → 10.0.2.4      │           │ → VPN Gateway   │         │
│ │   via Hub GW    │        │                 │           │                 │         │
│ └─────────────────┘        └─────────────────┘           └─────────────────┘         │
│                                                                                       │
│ Scenario 2: Spoke-to-Spoke via Hub Firewall (Force Tunneling)                       │
│ ═══════════════════════════════════════════════════════════════                      │
│                                                                                       │
│ 🏭 Spoke A (Prod)          🛡️ Hub Firewall              🔧 Spoke B (Dev)             │
│ ┌─────────────────┐        ┌─────────────────┐           ┌─────────────────┐         │
│ │ VM-API          │────────▶│ Azure Firewall  │──────────▶│ VM-Database     │         │
│ │ 10.1.1.20      │        │ 10.0.1.4        │           │ 10.2.3.10       │         │
│ │                 │        │                 │           │                 │         │
│ │ UDR: 10.2/16 →  │        │ Network Rules:  │           │ UDR: 10.1/16 →  │         │
│ │   10.0.1.4      │        │ Allow 10.1→10.2 │           │   10.0.1.4      │         │
│ │                 │        │ Port 1433       │           │                 │         │
│ └─────────────────┘        └─────────────────┘           └─────────────────┘         │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Virtual Network Gateways

Explanation

Virtual network gateways provide secure connectivity between Azure VNets and on-premises networks or other VNets. They support site-to-site VPN, point-to-site VPN, and ExpressRoute connections with various performance tiers.

Examples

Establishing site-to-site VPN tunnels, configuring point-to-site access for remote workers, implementing ExpressRoute connections, setting up VNet-to-VNet connectivity.

Enterprise Use Case

Organizations use VPN gateways for hybrid cloud connectivity, secure remote access, disaster recovery sites, and extending on-premises networks to Azure.

Diagram

Virtual Network Gateways - Comprehensive Hybrid Connectivity Architecture:
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                        🌉 VPN GATEWAY DEPLOYMENT & CONNECTIVITY MODELS                │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│        🏢 SITE-TO-SITE VPN MODEL        │    │        👤 POINT-TO-SITE VPN MODEL      │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ On-Premises Network                     │    │ Remote Client Connections               │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🏭 Corporate Datacenter             │ │    │ │ 💻 Remote Workers                   │ │
│ │ • Network: 192.168.0.0/16          │ │    │ │ • Windows/Mac/Linux clients         │ │
│ │ • Domain controllers               │ │    │ │ • Mobile devices (iOS/Android)     │ │
│ │ • File servers                     │ │    │ │ • Certificate authentication       │ │
│ │ • Legacy applications              │ │    │ │ • RADIUS/Azure AD auth             │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
│                    │                    │    │                    │                    │
│                    ▼                    │    │                    ▼                    │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🛡️ On-Premises VPN Device          │ │    │ │ 📱 VPN Client Software              │ │
│ │ • Cisco ASA/ISR series             │ │    │ │ • Azure VPN Client (Windows)       │ │
│ │ • Juniper SRX series               │ │    │ │ • Native clients (iOS/Android)     │ │
│ │ • Palo Alto firewall               │ │    │ │ • OpenVPN compatible clients       │ │
│ │ • Fortinet FortiGate               │ │    │ │ • IKEv2/SSTP protocols             │ │
│ │ • Public IP: 203.0.113.10          │ │    │ │ • Dynamic IP addresses             │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
│                    │                    │    │                    │                    │
│                    │ IPsec Tunnel        │    │                    │ SSL/TLS Tunnel     │
│ ┌──────────────────▼──────────────────┐ │    │ ┌──────────────────▼──────────────────┐ │
│ │ 🔐 Tunnel Configuration             │ │    │ │ 🔐 Client Configuration             │ │
│ │ • Pre-shared key (PSK)              │ │    │ │ • Root certificate installed        │ │
│ │ • BGP/Static routing                │ │    │ │ • Client certificate                │ │
│ │ • IKEv1/IKEv2 protocols             │ │    │ │ • Address pool: 172.16.100.0/24     │ │
│ │ • AES-256 encryption                │ │    │ │ • Split tunneling supported         │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
└─────────────────────────────────────────┘    └─────────────────────────────────────────┘
                    │                                              │
                    │ Internet Connectivity                        │
                    ▼                                              ▼
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              ☁️ AZURE CLOUD INFRASTRUCTURE                            │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Azure VPN Gateway Deployment                                                          │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🌉 Virtual Network Gateway                                                      │ │
│ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │
│ │ │ Gateway Configuration                                                       │ │ │
│ │ │ • Type: VPN                        • SKU: VpnGw2AZ                          │ │ │
│ │ │ • Routing: Route-based            • Generation: Generation2                 │ │ │
│ │ │ • Public IP: 20.53.203.50         • Active-passive/Active-active           │ │ │
│ │ │ • BGP ASN: 65515                  • BGP peer IP: 169.254.21.1              │ │ │
│ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Gateway Subnet (Mandatory)                                                            │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 📍 GatewaySubnet: 10.1.255.0/27                                               │ │
│ │ • Reserved exclusively for VPN Gateway                                          │ │
│ │ • Minimum /29, recommended /27 or larger                                        │ │
│ │ • Cannot contain other resources                                                │ │
│ │ • Route table: System-managed                                                   │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Target Virtual Network                                                                │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🏗️ Hub VNet: 10.1.0.0/16                                                       │ │
│ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │
│ │ │ 🖥️ Infrastructure Subnet: 10.1.1.0/24                                      │ │ │
│ │ │ • Domain controllers: 10.1.1.10, 10.1.1.11                                │ │ │
│ │ │ • DNS servers: 10.1.1.20, 10.1.1.21                                       │ │ │
│ │ │ • Management VMs: 10.1.1.30-50                                             │ │ │
│ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │
│ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │
│ │ │ 🌐 Application Subnet: 10.1.2.0/24                                         │ │ │
│ │ │ • Web servers: 10.1.2.10-20                                                │ │ │
│ │ │ • App servers: 10.1.2.30-40                                                │ │ │
│ │ │ • Load balancers: 10.1.2.100                                               │ │ │
│ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │
│ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │
│ │ │ 🔒 Database Subnet: 10.1.3.0/24                                            │ │ │
│ │ │ • SQL servers: 10.1.3.10-20                                                │ │ │
│ │ │ • Backup servers: 10.1.3.30                                                │ │ │
│ │ │ • Network security: Restricted access                                       │ │ │
│ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              🛠️ VPN GATEWAY SKU & PERFORMANCE TIERS                  │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Gateway SKU Comparison                                                                │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ SKU       │ Aggregate Throughput │ Max Connections │ BGP Support │ Zone Redundant│ │
│ ├─────────────────────────────────────────────────────────────────────────────────┤ │
│ │ Basic     │ 100 Mbps            │ 128            │ No          │ No            │ │
│ │ VpnGw1    │ 650 Mbps            │ 128            │ Yes         │ No            │ │
│ │ VpnGw2    │ 1 Gbps              │ 128            │ Yes         │ No            │ │
│ │ VpnGw3    │ 1.25 Gbps           │ 128            │ Yes         │ No            │ │
│ │ VpnGw1AZ  │ 650 Mbps            │ 128            │ Yes         │ Yes           │ │
│ │ VpnGw2AZ  │ 1 Gbps              │ 128            │ Yes         │ Yes           │ │
│ │ VpnGw3AZ  │ 1.25 Gbps           │ 128            │ Yes         │ Yes           │ │
│ │ VpnGw4AZ  │ 5 Gbps              │ 128            │ Yes         │ Yes           │ │
│ │ VpnGw5AZ  │ 10 Gbps             │ 128            │ Yes         │ Yes           │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Connection Types & Protocols                                                          │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🔗 Site-to-Site VPN                                                             │ │
│ │ • Protocol: IPsec/IKE (IKEv1 and IKEv2)                                        │ │
│ │ • Routing: Route-based (recommended) or Policy-based                            │ │
│ │ • Max connections: Depends on gateway SKU                                       │ │
│ │ • BGP support: Available on VpnGw1+ SKUs                                        │ │
│ │                                                                                 │ │
│ │ 👤 Point-to-Site VPN                                                            │ │
│ │ • Protocols: IKEv2, SSTP (SSL), OpenVPN                                        │ │
│ │ • Authentication: Certificate, RADIUS, Azure AD                                 │ │
│ │ • Max concurrent connections: Up to 128 (depends on SKU)                       │ │
│ │ • Client IP pool: Configurable private range                                   │ │
│ │                                                                                 │ │
│ │ 🌐 VNet-to-VNet                                                                 │ │
│ │ • Same region or cross-region connectivity                                      │ │
│ │ • Uses IPsec/IKE tunnels                                                        │ │
│ │ • Supports BGP for dynamic routing                                              │ │
│ │ • Alternative to VNet peering for specific scenarios                            │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════────════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                           🔧 DEPLOYMENT & CONFIGURATION WORKFLOWS                     │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Site-to-Site VPN Deployment Steps                                                    │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1️⃣ Create Virtual Network Gateway                                               │ │
│ │ az network vnet-gateway create \                                               │ │
│ │   --resource-group MyResourceGroup \                                           │ │
│ │   --name MyVNetGateway \                                                       │ │
│ │   --location eastus \                                                          │ │
│ │   --public-ip-address MyGatewayIP \                                            │ │
│ │   --vnet MyVNet \                                                              │ │
│ │   --gateway-type Vpn \                                                         │ │
│ │   --sku VpnGw2AZ \                                                             │ │
│ │   --vpn-type RouteBased                                                         │ │
│ │                                                                                 │ │
│ │ 2️⃣ Create Local Network Gateway                                                 │ │
│ │ az network local-gateway create \                                              │ │
│ │   --resource-group MyResourceGroup \                                           │ │
│ │   --name MyLocalGateway \                                                      │ │
│ │   --location eastus \                                                          │ │
│ │   --gateway-ip-address 203.0.113.10 \                                         │ │
│ │   --local-address-prefixes 192.168.0.0/16                                      │ │
│ │                                                                                 │ │
│ │ 3️⃣ Create VPN Connection                                                        │ │
│ │ az network vpn-connection create \                                             │ │
│ │   --resource-group MyResourceGroup \                                           │ │
│ │   --name MyConnection \                                                        │ │
│ │   --vnet-gateway1 MyVNetGateway \                                              │ │
│ │   --local-gateway2 MyLocalGateway \                                            │ │
│ │   --location eastus \                                                          │ │
│ │   --shared-key "MySharedKey123!"                                               │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
│                                                                                       │
│ Point-to-Site VPN Configuration                                                       │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 1️⃣ Configure P2S settings on VPN Gateway                                       │ │
│ │ • Address pool: 172.16.100.0/24                                                │ │
│ │ • Tunnel type: IKEv2 and SSTP                                                  │ │
│ │ • Authentication: Azure certificate                                             │ │
│ │                                                                                 │ │
│ │ 2️⃣ Generate and install certificates                                           │ │
│ │ • Root certificate: Upload public key to Azure                                 │ │
│ │ • Client certificates: Generate from root certificate                          │ │
│ │ • Install client certificate on user devices                                   │ │
│ │                                                                                 │ │
│ │ 3️⃣ Download VPN client configuration                                           │ │
│ │ • Azure portal: Download client package                                        │ │
│ │ • Extract and install on client devices                                        │ │
│ │ • Test connectivity to Azure resources                                         │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘
┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                             📊 MONITORING & TROUBLESHOOTING                           │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Connection Health Monitoring                                                          │
│ ┌─────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 📈 Key Metrics to Monitor                                                       │ │
│ │ • Gateway bandwidth utilization                                                 │ │
│ │ • Tunnel connectivity status                                                    │ │
│ │ • BGP route advertisements                                                      │ │
│ │ • Point-to-site connection count                                                │ │
│ │ • Packet drop rates                                                             │ │
│ │                                                                                 │ │
│ │ 🚨 Common Issues & Solutions                                                    │ │
│ │ • Connection timeout → Check firewall rules                                    │ │
│ │ • BGP not advertising → Verify ASN configuration                               │ │
│ │ • Slow performance → Upgrade gateway SKU                                       │ │
│ │ • Certificate errors → Validate certificate chain                              │ │
│ │ • Routing issues → Check effective routes                                      │ │
│ └─────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Point-to-Site VPN

Explanation

Point-to-site VPN enables individual clients to securely connect to Azure VNets from remote locations. It supports certificate-based authentication, RADIUS authentication, and Azure AD authentication methods.

Examples

Enabling remote worker access to Azure resources, connecting developer machines to staging environments, providing secure access for administrators, implementing BYOD scenarios.

Enterprise Use Case

Organizations use P2S VPN for remote workforce connectivity, secure administrative access, development environment access, and temporary project-based access to Azure resources.

Diagram

Point-to-Site VPN:
Remote Users
     |
[VPN Client] ←→ [VPN Gateway] ←→ [Azure VNet]
     |              |              |
[Certificate]  [P2S Config]   [Resources]

Study this concept interactively in the AZ-104 app →

Site-to-Site VPN

Explanation

Site-to-site VPN creates persistent, encrypted connections between on-premises networks and Azure VNets. It uses IPSec tunnels over the internet and requires VPN devices on both ends with public IP addresses.

Examples

Connecting corporate headquarters to Azure, linking branch offices to cloud resources, implementing disaster recovery connectivity, establishing hybrid cloud architectures.

Enterprise Use Case

Organizations use S2S VPN for hybrid cloud implementations, extending corporate networks to Azure, disaster recovery scenarios, and gradual cloud migration strategies.

Diagram

Site-to-Site VPN:
On-Premises Site          Azure Site
┌─────────────┐    ↔    ┌─────────────┐
│[VPN Device] │←IPSec→  │[VPN Gateway]│
│             │         │             │
│[Local Net]  │         │[Azure VNet] │
└─────────────┘         └─────────────┘

Study this concept interactively in the AZ-104 app →

Azure ExpressRoute

Explanation

ExpressRoute provides private, high-bandwidth connections between on-premises networks and Azure datacenters. It bypasses the internet for better reliability, security, and performance with predictable bandwidth and latency.

Examples

Implementing dedicated connections for mission-critical workloads, establishing high-bandwidth data replication, connecting multiple Azure regions, enabling low-latency financial trading systems.

Enterprise Use Case

Enterprise organizations use ExpressRoute for mission-critical applications, large data transfers, compliance requirements, and when internet-based connections are insufficient for performance needs.

Diagram

Azure ExpressRoute - Enterprise Connectivity & Redundancy Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                        🚀 EXPRESSROUTE CONNECTIVITY MODELS                            │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│        🏢 COLOCATION MODEL              │    │        🌐 POINT-TO-POINT ETHERNET      │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ Customer Premise                        │    │ Customer Sites                          │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🏭 Enterprise Data Center           │ │    │ │ 🏢 Corporate HQ                     │ │
│ │ • Core routers & switches          │ │    │ │ • Primary site connectivity        │ │
│ │ • Firewalls & security             │ │    │ │ • Dedicated fiber/ethernet         │ │
│ │ • Server farms & storage           │ │    │ │ • Carrier-grade redundancy         │ │
│ └─────────────────┬───────────────────┘ │    │ └─────────────────┬───────────────────┘ │
│                   │ Cross-connect       │    │                   │ Point-to-Point      │
│ Colocation Facility (Same Rack/Cage)   │    │ Service Provider Network               │
│ ┌─────────────────┴───────────────────┐ │    │ ┌─────────────────┴───────────────────┐ │
│ │ 🔗 Microsoft Edge Equipment         │ │    │ │ 🌐 Carrier Network                  │ │
│ │ • ExpressRoute port allocation      │ │───▶│ │ • MPLS backbone                     │ │
│ │ • BGP peering sessions             │ │    │ │ • Carrier Ethernet services        │ │
│ │ • Redundant paths available       │ │    │ │ • SLA guarantees                   │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────┬───────────────────┘ │
│                                         │    │                   │ To Microsoft        │
│ Benefits:                               │    │ ┌─────────────────┴───────────────────┐ │
│ • Lowest latency                       │    │ │ 🏢 Microsoft Peering Location       │ │
│ • Direct physical connection           │    │ │ • Carrier aggregation point         │ │
│ • Highest control & security           │    │ │ • ExpressRoute circuit termination  │ │
│ • Most cost-effective for high BW      │    │ └─────────────────────────────────────┘ │
└─────────────────────────────────────────┘    └─────────────────────────────────────────┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│        🎯 ANY-TO-ANY CONNECTIVITY       │    │        ☁️ EXPRESSROUTE DIRECT           │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ Multiple Corporate Locations            │    │ Ultra-High Bandwidth Requirements       │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🏢 HQ Site     🏭 Factory Sites      │ │    │ │ 🏢 Enterprise Data Center           │ │
│ │ • Management   • Manufacturing       │ │    │ │ • Massive data workloads           │ │
│ │ • Finance      • Distribution        │ │    │ │ • Real-time analytics              │ │
│ │ • Legal        • Research labs       │ │    │ │ • Backup & disaster recovery       │ │
│ └─────────────────┬───────────────────┘ │    │ └─────────────────┬───────────────────┘ │
│                   │ MPLS Network        │    │                   │ 100 Gbps Ports     │
│ Service Provider WAN                    │    │ Direct Connection (No Provider)         │
│ ┌─────────────────┴───────────────────┐ │    │ ┌─────────────────┴───────────────────┐ │
│ │ 🌐 Carrier MPLS Cloud               │ │    │ │ 🔗 Microsoft Edge Routers           │ │
│ │ • Site-to-site connectivity        │ │    │ │ • 10/100 Gbps port options          │ │
│ │ • Any-to-any reachability          │ │───▶│ │ • Dedicated bandwidth allocation    │ │
│ │ • Quality of Service (QoS)         │ │    │ │ • Private peering only              │ │
│ │ • Centralized policy management    │ │    │ │ • Customer-managed BGP routing      │ │
│ └─────────────────┬───────────────────┘ │    │ └─────────────────────────────────────┘ │
│                   │ To ExpressRoute     │    │                                         │
│ Benefits:                               │    │ Benefits:                               │
│ • Simplified connectivity management    │    │ • Highest bandwidth (100 Gbps)         │
│ • Existing MPLS investment leverage     │    │ • Direct Microsoft peering             │
│ • Integrated with corporate WAN         │    │ • Maximum security & performance        │
│ • Branch office inclusion              │    │ • Full traffic control                  │
└─────────────────────────────────────────┘    └─────────────────────────────────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                       🛡️ HIGH AVAILABILITY & REDUNDANCY PATTERNS                      │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Dual Circuit Redundancy                       │ Geographic Redundancy                │
│ ═══════════════════════════                   │ ═══════════════════════               │
│                                               │                                       │
│ 🏢 Corporate Data Center                      │ 🏢 Primary Site (East US)             │
│ ┌─────────────────────────────────────────┐   │ ┌───────────────────────────────────┐ │
│ │     🔀 Border Router Setup              │   │ │   🏭 Production Data Center       │ │
│ │                                         │   │ │   • Core business applications    │ │
│ │ CE Router 1 ←→ ExpressRoute Circuit A   │   │ │   • Primary user base             │ │
│ │      │              │                   │   │ │   • Main database systems        │ │
│ │      ▼              ▼                   │   │ └───────────┬───────────────────────┘ │
│ │ Azure Region 1  Azure Region 2         │   │             │ ExpressRoute Primary    │
│ │ (Primary)       (Secondary)             │   │ ┌───────────▼───────────────────────┐ │
│ │      ▲              ▲                   │   │ │   ☁️ Azure East US Region         │ │
│ │      │              │                   │   │ │   • Production workloads          │ │
│ │ CE Router 2 ←→ ExpressRoute Circuit B   │   │ │   • Active-active load balancing  │ │
│ │                                         │   │ │   • Regional disaster recovery    │ │
│ └─────────────────────────────────────────┘   │ └───────────────────────────────────┘ │
│                                               │                                       │
│ Circuit Configuration:                        │ 🏢 DR Site (West US)                  │
│ • Circuit A: Primary path to Region 1        │ ┌───────────────────────────────────┐ │
│ • Circuit B: Backup path to Region 2         │ │   🛡️ Disaster Recovery Site       │ │
│ • BGP route preferences configured           │ │   • Standby applications          │ │
│ • Automatic failover (30-60 seconds)         │ │   • Replicated data               │ │
│ • Load balancing across circuits             │ │   • Emergency operations          │ │
│                                               │ └───────────┬───────────────────────┘ │
│ SLA Benefits:                                 │             │ ExpressRoute Secondary  │
│ • 99.95% availability with dual circuits     │ ┌───────────▼───────────────────────┐ │
│ • Path diversity & redundancy                │ │   ☁️ Azure West US Region         │ │
│ • No single point of failure                 │ │   • DR workloads                  │ │
│ • Predictable failover behavior              │ │   • Cross-region replication      │ │
│                                               │ │   • Business continuity          │ │
│                                               │ └───────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                          📊 CONNECTIVITY COMPARISON & ROUTING                         │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Connection Type  │ Bandwidth         │ Latency      │ Cost      │ Security    │ SLA   │
│ ═══════════════  │ ════════════════  │ ═══════════  │ ════════  │ ══════════  │ ════  │
│ 🌐 Site-to-Site  │ Up to 10 Gbps     │ Variable     │ Low       │ IPsec VPN   │ 99.9% │
│ 🔗 ExpressRoute  │ 50 Mbps - 100 Gbps│ <10ms        │ High      │ Private     │ 99.95%│
│ 🚪 ExpressRoute  │ 100 Mbps - 100 Gbps│ <5ms        │ Highest   │ Dedicated   │ 99.95%│
│    Direct        │                   │              │           │             │       │
│ 🌍 Internet VPN  │ Variable          │ High/Variable│ Lowest    │ Public+VPN  │ None  │
│                                                                                       │
│ BGP Routing Configuration:                                                           │
│ ════════════════════════════                                                         │
│                                                                                       │
│ Microsoft Peering (Public Services):      │ Private Peering (VNet Resources):        │
│ • Office 365 services                     │ • Virtual machines                       │
│ • Dynamics 365                            │ • Storage accounts                       │
│ • Azure public services                   │ • SQL databases                          │
│ • Custom public IP ranges                 │ • Web apps & API services               │
│                                           │                                          │
│ Route Advertisement:                       │ Route Filters:                          │
│ • Customer advertises public prefixes     │ • Regional service filtering            │
│ • Microsoft advertises service prefixes   │ • Service-specific routing              │
│ • BGP community values for control        │ • Traffic engineering capabilities      │
│ • Route filtering & policy enforcement    │ • Local preference & MED attributes     │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Azure DNS

Explanation

Azure DNS is a hosting service for DNS domains that provides name resolution using Microsoft Azure infrastructure. It supports both public and private DNS zones with global anycast network for fast response times.

Examples

Hosting public domain DNS records, creating private DNS zones for internal name resolution, implementing DNS-based load balancing, managing subdomain delegation.

Enterprise Use Case

Organizations use Azure DNS for reliable domain hosting, internal name resolution, integration with Azure services, and simplified DNS management with Azure RBAC.

Diagram

Azure DNS - Comprehensive Name Resolution Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                             🌐 AZURE DNS GLOBAL INFRASTRUCTURE                        │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│           🌍 PUBLIC DNS ZONES           │    │          🏠 PRIVATE DNS ZONES           │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ contoso.com (Public Zone)               │    │ internal.contoso.com (Private Zone)     │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ Global Anycast Network              │ │    │ │ VNet-scoped Resolution              │ │
│ │ • 4 Name servers worldwide          │ │    │ │ • Limited to linked VNets           │ │
│ │ • ns1-01.azure-dns.com             │ │    │ │ • Auto-registration supported       │ │
│ │ • ns2-01.azure-dns.net             │ │    │ │ • Split-brain DNS capability       │ │
│ │ • ns3-01.azure-dns.org             │ │    │ │ • Resolution: 168.63.129.16        │ │
│ │ • ns4-01.azure-dns.info            │ │    │ └─────────────────────────────────────┘ │
│ └─────────────────────────────────────┘ │    │                                         │
│                                         │    │ Linked Virtual Networks:                │
│ Internet-accessible:                    │    │ • Production VNet (10.0.0.0/16)       │
│ • A: www → 52.168.1.10                 │    │ • Development VNet (10.1.0.0/16)      │
│ • CNAME: blog → www.contoso.com        │    │ • Management VNet (10.2.0.0/16)       │
│ • MX: @ → mail.contoso.com (10)        │    │                                         │
│ • TXT: @ → "v=spf1 include..."         │    │ Auto-registered Records:                │
│                                         │    │ • vm-web-01 → 10.0.1.10               │
│                                         │    │ • vm-db-01 → 10.0.2.10                │
└─────────────────────────────────────────┘    └─────────────────────────────────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              🔍 DNS RESOLUTION FLOW DIAGRAM                           │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Client Query: www.contoso.com                                                         │
│ ═══════════════════════════                                                           │
│                                                                                       │
│ Step 1: Client Query          Step 2: Root Servers       Step 3: TLD Servers        │
│ ┌─────────────────┐          ┌─────────────────┐         ┌─────────────────┐         │
│ │   💻 Client      │──Query──▶│  🌐 Root DNS     │─.com──▶│  🏢 .com TLD     │         │
│ │                 │          │  (13 servers)   │         │   Servers       │         │
│ │ Recursive DNS:  │          │  198.41.0.4     │         │  192.5.6.30     │         │
│ │ 8.8.8.8        │          │  199.9.14.201   │         │  192.12.94.30   │         │
│ └─────────────────┘          └─────────────────┘         └─────────────────┘         │
│           ▲                            ▲                           │                 │
│           │                            │                           ▼                 │
│           │                            │                 Step 4: Authoritative      │
│ Step 6: Final Response      Step 5: Azure DNS Authority   ┌─────────────────┐       │
│ ┌─────────────────┐                  ┌─────────────────┐  │  ⚡ Azure DNS    │       │
│ │ Response:        │◄────────────────│  📊 Azure DNS    │◄─│  Name Servers   │       │
│ │ www.contoso.com │                  │  Zone Response  │  │  Global Anycast │       │
│ │ = 52.168.1.10   │                  │  A: 52.168.1.10 │  │  • ns1-01...    │       │
│ │ TTL: 3600s      │                  │  TTL: 3600      │  │  • ns2-01...    │       │
│ └─────────────────┘                  └─────────────────┘  └─────────────────┘       │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                            📊 DNS RECORD TYPES & CONFIGURATION                        │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Record Type    │ Purpose           │ Example                    │ TTL  │ Priority     │
│ ═════════════  │ ════════════════  │ ═══════════════════════   │ ═══  │ ════════     │
│ 🌐 A Record    │ IPv4 Address      │ www → 52.168.1.10          │ 3600 │ N/A          │
│ 🔗 AAAA Record │ IPv6 Address      │ www → 2001:db8::1          │ 3600 │ N/A          │
│ 📍 CNAME       │ Canonical Name    │ blog → www.contoso.com     │ 300  │ N/A          │
│ 📧 MX Record   │ Mail Exchange     │ @ → mail.contoso.com       │ 3600 │ 10           │
│ 📝 TXT Record  │ Text Data         │ @ → "v=spf1 include:..."   │ 300  │ N/A          │
│ 🎯 SRV Record  │ Service Location  │ _sip._tcp → server:5060    │ 900  │ 10/5         │
│ 🔄 NS Record   │ Name Server       │ @ → ns1-01.azure-dns.com   │ 86400│ N/A          │
│ 🏠 PTR Record  │ Reverse Lookup    │ 10.1.168.52 → vm-web-01   │ 3600 │ N/A          │
│                                                                                       │
│ Special Azure DNS Features:                                                           │
│ ┌───────────────────────────────────────────────────────────────────────────────────┐ │
│ │ 🎯 Alias Records                                                                  │ │
│ │ • Points to Azure resources directly (no IP hardcoding)                          │ │
│ │ • @ → contoso.azurewebsites.net (automatic IP updates)                           │ │
│ │ • Supports: Traffic Manager, CDN endpoints, Public IPs                           │ │
│ │                                                                                   │ │
│ │ 🔄 Auto-Registration (Private Zones)                                             │ │
│ │ • VM creation automatically adds A record                                        │ │
│ │ • VM deletion automatically removes record                                       │ │
│ │ • Custom hostnames supported via cloud-init                                      │ │
│ └───────────────────────────────────────────────────────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                              🏗️ DEPLOYMENT & INTEGRATION PATTERNS                     │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Hybrid DNS Architecture                    │ Multi-Zone Load Balancing               │
│ ══════════════════════════                 │ ════════════════════════════             │
│                                            │                                          │
│ 🏢 On-Premises ←→ ☁️ Azure                │ 🌍 Global Traffic Distribution            │
│ ┌─────────────────────────────────────────┐│ ┌─────────────────────────────────────┐ │
│ │ Corporate DNS (corp.local)              ││ │ contoso.com DNS Zone                │ │
│ │ ┌─────────────────────────────────────┐ ││ │ ┌─────────────────────────────────┐ │ │
│ │ │ • Internal hostnames               │ ││ │ │ Traffic Manager Profile:        │ │ │
│ │ │ • AD-integrated zones              │ ││ │ │ • East US: app-east.contoso.com │ │ │
│ │ │ • Conditional forwarders           │ ││ │ │ • West EU: app-west.contoso.com │ │ │
│ │ │   to Azure DNS (168.63.129.16)     │ ││ │ │ • Failover routing method       │ │ │
│ │ └─────────────────────────────────────┘ ││ │ └─────────────────────────────────┘ │ │
│ │                │                       ││ │                                     │ │
│ │     ExpressRoute/VPN Connection        ││ │ CNAME: www → contoso.trafficmgr.net │ │
│ │                ▼                       ││ └─────────────────────────────────────┘ │
│ │ Azure Private DNS (internal.corp.com)  ││                                          │
│ │ ┌─────────────────────────────────────┐ ││ DNS-based Load Balancing Benefits:       │
│ │ │ • Cross-premises name resolution    │ ││ • Geographic routing                     │
│ │ │ • Azure resource auto-registration  │ ││ • Health monitoring integration          │
│ │ │ • Split-brain DNS capability       │ ││ • Automatic failover                     │
│ │ └─────────────────────────────────────┘ ││ • Performance-based routing              │
│ └─────────────────────────────────────────┘│                                          │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Custom DNS Settings

Explanation

Custom DNS settings allow you to specify custom DNS servers for virtual networks instead of using Azure-provided DNS. This enables integration with on-premises DNS infrastructure and custom DNS solutions.

Examples

Configuring VNets to use on-premises DNS servers, implementing DNS forwarders, setting up conditional forwarding, integrating with Active Directory DNS.

Enterprise Use Case

Organizations use custom DNS for hybrid scenarios, existing DNS infrastructure integration, compliance requirements, and centralized DNS management across on-premises and cloud.

Diagram

Custom DNS Configuration:
┌─────────────────┐    ┌──────────────┐
│   Azure VNet    │    │  On-Premises │
│                 │    │              │
│ Custom DNS:     │←──→│ DNS Server   │
│ 192.168.1.10    │    │ 192.168.1.10 │
│                 │    │              │
│ [VMs use        │    │ [AD DNS]     │
│  custom DNS]    │    │              │
└─────────────────┘    └──────────────┘

Study this concept interactively in the AZ-104 app →

DNS Zones

Explanation

DNS zones are administrative domains that contain DNS records for a particular domain. Azure supports both public DNS zones for internet-accessible domains and private DNS zones for internal name resolution.

Examples

Creating public zones for company domains, setting up private zones for internal services, configuring zone delegation, implementing DNS security with DNSSEC.

Enterprise Use Case

IT teams manage DNS zones to organize domain name resolution, separate internal and external DNS, delegate subdomain management, and maintain DNS security and performance.

Diagram

DNS Zone Structure:
Domain: contoso.com
┌─────────────────────┐
│    DNS Zone         │
├─────────────────────┤
│ @ (root)  A  1.2.3.4│
│ www       A  1.2.3.5│
│ mail      MX mail.x │
│ ftp       CNAME www │
└─────────────────────┘

Study this concept interactively in the AZ-104 app →

Public DNS Zones

Explanation

Public DNS zones host DNS records for domains accessible from the internet. They provide global name resolution using Azure global anycast network with automatic scaling and high availability.

Examples

Hosting company website DNS records, managing email server MX records, configuring CDN CNAME records, implementing geo-distributed DNS responses.

Enterprise Use Case

Organizations use public DNS zones for website hosting, email services, external API endpoints, and any internet-facing services requiring DNS resolution.

Diagram

Public DNS Zone:
Internet Users
     ↓
[Global DNS Query]
     ↓
[Azure Public DNS Zone: contoso.com]
     ↓
[DNS Records: A, CNAME, MX, TXT]
     ↓
[Internet Resources]

Study this concept interactively in the AZ-104 app →

Private DNS Zones

Explanation

Private DNS zones provide name resolution for resources within virtual networks without internet accessibility. They enable custom domain names for internal resources and automatic registration of VM records.

Examples

Creating internal.contoso.com for VMs, automatic VM name registration, resolving Azure service endpoints, implementing split-brain DNS scenarios.

Enterprise Use Case

Organizations use private DNS zones for internal service discovery, simplified internal communication, compliance with naming standards, and enhanced security through private name resolution.

Diagram

Private DNS Zone:
┌─────────────────────────┐
│      Virtual Network    │
│                         │
│ Private DNS Zone:       │
│ internal.contoso.com    │
│                         │
│ vm1.internal.contoso.com│
│ db1.internal.contoso.com│
│                         │
│ [Auto-registered VMs]   │
└─────────────────────────┘

Study this concept interactively in the AZ-104 app →

Custom Domain Configuration

Explanation

Custom domain configuration enables using your own domain names with Azure services instead of default Azure-provided domains. This provides professional branding and simplified user access to applications.

Examples

Configuring custom domains for App Service apps, setting up custom domains for Azure Front Door, implementing SSL certificates for custom domains, configuring domain verification.

Enterprise Use Case

Organizations use custom domains for brand consistency, professional appearance, simplified URLs, and meeting customer expectations for web applications and services.

Diagram

Custom Domain Setup:
Custom Domain: www.contoso.com
     ↓
[DNS CNAME Record]
     ↓
[Azure Service: contoso.azurewebsites.net]
     ↓
[SSL Certificate]
     ↓
[Production Application]

Study this concept interactively in the AZ-104 app →

Effective Security Rules

Explanation

Effective security rules show the combined result of all NSG rules applied to a network interface, considering rule priorities, default rules, and inheritance from subnet and NIC-level NSGs.

Examples

Analyzing why traffic is blocked, troubleshooting connectivity issues, understanding rule precedence, optimizing security rule performance.

Enterprise Use Case

Network administrators use effective security rules for troubleshooting, security auditing, compliance verification, and optimizing network security configurations.

Diagram

Effective Security Rules:
Subnet NSG Rules    +    NIC NSG Rules
      ↓                        ↓
┌─────────────────────────────────────┐
│      Effective Security Rules      │
├─────────────────────────────────────┤
│ Priority 100: Allow HTTP      ✓     │
│ Priority 200: Deny SSH        ✗     │
│ Priority 300: Allow HTTPS     ✓     │
│ Default: Deny All Internet    ✗     │
└─────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Service Endpoints

Explanation

Virtual Network Service Endpoints provide secure and direct connectivity to Azure services over an optimized route. They extend VNet private address space to Azure services without requiring public IPs.

Examples

Securing access to Storage accounts from specific subnets, restricting SQL Database access to VNet resources, connecting to Key Vault privately, accessing Cosmos DB securely.

Enterprise Use Case

Organizations use service endpoints to secure Azure services, improve performance through optimal routing, reduce data transfer costs, and implement network-based access control.

Diagram

Service Endpoints:
┌─────────────────┐    ┌─────────────────┐
│   Virtual       │    │   Azure         │
│   Network       │    │   Service       │
│                 │    │                 │
│ [Service        │───→│ [Storage        │
│  Endpoint]      │    │  Account]       │
│                 │    │                 │
│ [Optimized      │    │ [Network        │
│  Route]         │    │  ACLs]          │
└─────────────────┘    └─────────────────┘

Study this concept interactively in the AZ-104 app →

Private Endpoints

Explanation

Private endpoints bring Azure services into your virtual network with private IP addresses, providing completely private connectivity to Azure services without traversing the public internet.

Examples

Creating private connections to Storage accounts, accessing SQL databases privately, connecting to Key Vault through private IPs, implementing private access to web apps.

Enterprise Use Case

Organizations use private endpoints for highest security requirements, compliance mandates, eliminating internet exposure, and ensuring all traffic remains within Microsoft backbone.

Diagram

Private Endpoint:
┌─────────────────────────┐
│      Virtual Network    │
│                         │
│ ┌─────────────────────┐ │    ┌─────────────┐
│ │ Private Endpoint    │ │────│ Azure       │
│ │ IP: 10.0.1.10       │ │    │ Service     │
│ └─────────────────────┘ │    │             │
│                         │    │ [No Public  │
│ [VM: 10.0.1.5]         │    │  Access]    │
└─────────────────────────┘    └─────────────┘

Study this concept interactively in the AZ-104 app →

Azure Firewall

Explanation

Azure Firewall is a cloud-native network security service providing stateful firewall capabilities with built-in high availability, threat intelligence, and centralized logging for network and application-level filtering.

Examples

Implementing hub-spoke network security, creating application rules for web traffic, configuring network rules for specific protocols, enabling threat intelligence filtering.

Enterprise Use Case

Organizations use Azure Firewall for centralized network security, compliance with security policies, threat protection, and simplified firewall management across multiple VNets.

Diagram

Azure Firewall - Advanced Security & Rule Processing Architecture:

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                         🛡️ AZURE FIREWALL COMPREHENSIVE ARCHITECTURE                  │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌─────────────────────────────────────────┐    ┌─────────────────────────────────────────┐
│         🌐 TRAFFIC INGRESS FLOW         │    │         🔄 RULE PROCESSING ENGINE      │
│                                         │    │                                         │
├─────────────────────────────────────────┤    ├─────────────────────────────────────────┤
│                                         │    │                                         │
│ Internet Traffic                        │    │ Rule Processing Order:                  │
│ ┌─────────────────────────────────────┐ │    │ ┌─────────────────────────────────────┐ │
│ │ 🌍 External Clients                 │ │    │ │ 1️⃣ Threat Intelligence              │ │
│ │ • Web browsers (HTTP/HTTPS)        │ │───▶│ │ 2️⃣ DNAT Rules (Inbound)             │ │
│ │ • Mobile apps (API calls)          │ │    │ │ 3️⃣ Network Rules (L3/L4)           │ │
│ │ • B2B partners (VPN)               │ │    │ │ 4️⃣ Application Rules (L7)           │ │
│ │ • Third-party services             │ │    │ │ 5️⃣ Default Deny (Implicit)         │ │
│ └─────────────────────────────────────┘ │    │ └─────────────────────────────────────┘ │
│                                         │    │                                         │
│ Internal Traffic (Hub-Spoke)            │    │ Rule Match Logic:                       │
│ ┌─────────────────────────────────────┐ │    │ • First match wins (priority order)    │
│ │ 🏢 Hub VNet Services                │ │    │ • Stateful connection tracking         │
│ │ • Shared services (10.0.0.0/16)    │ │    │ • Bidirectional traffic inspection     │
│ │ • Management tools                  │ │    │ • SSL/TLS termination & inspection     │
│ │ • Monitoring systems                │ │    │                                         │
│ └─────────────────────────────────────┘ │    │ Performance Features:                   │
│                                         │    │ • Auto-scaling (2-100 instances)       │
│ Spoke VNet Traffic                      │    │ • 30 Gbps throughput                   │
│ ┌─────────────────────────────────────┐ │    │ • 99.99% availability SLA             │
│ │ 🏭 Production: 10.1.0.0/16          │ │    │ • Built-in high availability           │
│ │ 🔧 Development: 10.2.0.0/16         │ │    │                                         │
│ │ 🧪 Testing: 10.3.0.0/16             │ │    │                                         │
│ └─────────────────────────────────────┘ │    └─────────────────────────────────────────┘
└─────────────────────────────────────────┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                          🔥 FIREWALL RULE TYPES & CONFIGURATION                       │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ DNAT Rules (Destination Network Address Translation)                                 │
│ ═══════════════════════════════════════════════════════                              │
│                                                                                       │
│ Priority │ Name         │ Public IP      │ Port │ Target IP      │ Target Port       │
│ ════════ │ ════════════ │ ═════════════  │ ═══  │ ═════════════  │ ══════════       │
│    100   │ Web-HTTPS    │ 52.168.1.10    │ 443  │ 10.1.1.10      │ 443              │
│    110   │ Web-HTTP     │ 52.168.1.10    │ 80   │ 10.1.1.10      │ 80               │
│    200   │ SSH-Jump     │ 52.168.1.11    │ 22   │ 10.0.3.10      │ 22               │
│    300   │ RDP-Mgmt     │ 52.168.1.12    │ 3389 │ 10.0.4.10      │ 3389             │
│                                                                                       │
│ Network Rules (Layer 3/4 - IP, Protocol, Port)                                      │
│ ═════════════════════════════════════════════════                                    │
│                                                                                       │
│ Priority │ Name         │ Source         │ Destination    │ Protocol │ Port         │
│ ════════ │ ════════════ │ ═════════════  │ ═════════════  │ ════════ │ ════════     │
│    100   │ Allow-DNS    │ 10.0.0.0/8     │ 168.63.129.16  │ UDP      │ 53           │
│    110   │ Allow-NTP    │ 10.0.0.0/8     │ pool.ntp.org   │ UDP      │ 123          │
│    200   │ Allow-HTTPS  │ 10.1.0.0/16    │ Internet       │ TCP      │ 443          │
│    300   │ Block-SMB    │ 10.0.0.0/8     │ Internet       │ TCP      │ 445,135,139  │
│    400   │ Allow-AD     │ 10.0.0.0/8     │ 192.168.1.0/24 │ TCP      │ 389,636,3268 │
│                                                                                       │
│ Application Rules (Layer 7 - FQDN, URL, HTTP/HTTPS)                                 │
│ ══════════════════════════════════════════════════════                               │
│                                                                                       │
│ Priority │ Name         │ Source         │ Target FQDN           │ Protocol         │
│ ════════ │ ════════════ │ ═════════════  │ ═══════════════════  │ ════════════     │
│    100   │ Allow-Office │ 10.0.0.0/8     │ *.office365.com       │ HTTPS            │
│    110   │ Allow-Update │ 10.0.0.0/8     │ *.windowsupdate.com   │ HTTP/HTTPS       │
│    200   │ Allow-GitHub │ 10.2.0.0/16    │ github.com,api.github │ HTTPS            │
│    300   │ Block-Social │ 10.1.0.0/16    │ *.facebook.com        │ HTTP/HTTPS       │
│    400   │ Allow-Azure  │ 10.0.0.0/8     │ *.azure.com           │ HTTPS            │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                        🛡️ THREAT INTELLIGENCE & SECURITY FEATURES                     │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Threat Intelligence Integration                │ Advanced Security Capabilities      │
│ ══════════════════════════════════════         │ ══════════════════════════════════  │
│                                                │                                      │
│ 🌐 Microsoft Threat Intelligence Feed          │ 🔍 Deep Packet Inspection (DPI)     │
│ ┌────────────────────────────────────────────┐ │ ┌──────────────────────────────────┐ │
│ │ • Real-time malicious IP/URL detection    │ │ │ • HTTP/HTTPS content filtering   │ │
│ │ • Botnet command & control blocking       │ │ │ • File type and signature check  │ │
│ │ │ • Malware hosting sites                │ │ │ • SQL injection prevention       │ │
│ │ • Phishing domain protection              │ │ │ • Cross-site scripting (XSS)     │ │
│ │ • Geo-location based blocking             │ │ │ • Data loss prevention (DLP)     │ │
│ └────────────────────────────────────────────┘ │ └──────────────────────────────────┘ │
│                                                │                                      │
│ 🚨 Alert & Deny Mode Configuration             │ 🔐 SSL/TLS Inspection                │
│ ┌────────────────────────────────────────────┐ │ ┌──────────────────────────────────┐ │
│ │ • Alert Only: Log threats, allow traffic  │ │ │ • Certificate authority trust    │ │
│ │ • Alert & Deny: Block and log threats     │ │ │ • Encrypted traffic decryption   │ │
│ │ • Custom threat intelligence feeds        │ │ │ • Application-aware inspection   │ │
│ │ • Whitelist trusted sources               │ │ │ • Compliance policy enforcement  │ │
│ └────────────────────────────────────────────┘ │ └──────────────────────────────────┘ │
│                                                │                                      │
│ Threat Detection Capabilities:                 │ Integration Points:                  │
│ • Command & control communication detection    │ • Azure Sentinel (SIEM)             │
│ • Data exfiltration patterns                   │ • Azure Security Center             │
│ • Lateral movement detection                   │ • Azure Monitor & Log Analytics     │
│ • Anomalous traffic pattern analysis           │ • Third-party security tools        │
└═══════════════════════════════════════════════════════════════════════════════════════┘

┌═══════════════════════════════════════════════════════════════════════════════════════┐
│                           🚀 DEPLOYMENT MODES & ARCHITECTURE PATTERNS                │
├═══════════════════════════════════════════════════════════════════════════════════════┤
│                                                                                       │
│ Standard Deployment                            │ Premium Deployment                   │
│ ════════════════════                           │ ═══════════════════                  │
│                                                │                                      │
│ 📊 Basic Features:                             │ 🔥 Advanced Features:                │
│ • Network & Application rules                  │ • All Standard features             │
│ • Threat Intelligence                          │ • IDPS (Intrusion Detection)       │
│ • DNAT & SNAT capabilities                     │ • URL filtering                     │
│ • High Availability                            │ • Web categories                    │
│ • Auto-scaling                                 │ • TLS inspection                    │
│                                                │ • Custom threat intelligence        │
│ 💰 Cost: ~$1.25/hour + data processing        │ 💰 Cost: ~$2.50/hour + data         │
│                                                │                                      │
│ Force Tunneling Pattern:                       │ Hub-Spoke Security Pattern:          │
│ ┌────────────────────────────────────────────┐ │ ┌──────────────────────────────────┐ │
│ │        🏢 Hub VNet                         │ │ │     🌟 Central Security Hub      │ │
│ │  ┌──────────────────────────────────────┐  │ │ │ ┌──────────────────────────────┐ │ │
│ │  │     🛡️ Azure Firewall Subnet        │  │ │ │ │  🛡️ Firewall (10.0.1.0/26)   │ │ │
│ │  │    (AzureFirewallSubnet/26)          │  │ │ │ │  🚪 VPN Gateway              │ │ │
│ │  └──────────────────────────────────────┘  │ │ │ │  🏰 Bastion Service          │ │ │
│ │                   │                        │ │ │ │  📊 Shared Services          │ │ │
│ │  ┌──────────────────────────────────────┐  │ │ │ └──────────────────────────────┘ │ │
│ │  │    📋 Route Table (0.0.0.0/0)        │  │ │ │              │                  │ │
│ │  │    Next Hop: Firewall IP             │  │ │ │    Spoke VNets (Peered)       │ │
│ │  │    All traffic → Firewall            │  │ │ │ • Production (10.1.0.0/16)    │ │ │
│ │  └──────────────────────────────────────┘  │ │ │ • Development (10.2.0.0/16)   │ │ │
│ └────────────────────────────────────────────┘ │ │ • Testing (10.3.0.0/16)       │ │ │
│                                                │ └──────────────────────────────────┘ │
└═══════════════════════════════════════════════════════════════════════════════════════┘

Study this concept interactively in the AZ-104 app →

Azure Service Endpoints

Explanation

Azure Service Endpoints extend your virtual network identity to Azure services, enabling you to secure Azure service resources to your virtual networks and improve security posture.

Examples

Restricting Storage account access to specific subnets, securing SQL databases to VNet traffic only, controlling Key Vault access, implementing network-based service security.

Enterprise Use Case

Security teams use service endpoints to eliminate public internet exposure, implement defense-in-depth strategies, meet compliance requirements, and control service access at network level.

Diagram

Azure Service Endpoints:
VNet Subnet ←→ [Service Endpoint] ←→ Azure Service
    │                 │                   │
[VMs/Apps]      [Network ACL]      [Restricted Access]
    │                 │                   │
[Private IPs]   [Identity Extension] [Service Firewall]

Study this concept interactively in the AZ-104 app →

Azure Private Link

Explanation

Azure Private Link enables access to Azure PaaS services and customer/partner services over a private endpoint in your virtual network, keeping traffic within the Microsoft network backbone.

Examples

Creating private connections to Azure SQL, accessing Storage accounts privately, connecting to partner services through Private Link, implementing cross-tenant private connectivity.

Enterprise Use Case

Enterprises use Private Link for maximum security, regulatory compliance, eliminating internet exposure, and creating private connectivity to both Microsoft and third-party services.

Diagram

Azure Private Link:
┌─────────────────────┐    ┌──────────────────┐
│    Customer VNet    │    │  Microsoft       │
│                     │    │  Backbone        │
│ [Private Endpoint]  │────│                  │
│ 10.0.1.100         │    │  [Azure Service] │
│                     │    │                  │
│ [No Internet        │    │  [No Internet    │
│  Exposure]          │    │   Exposure]      │
└─────────────────────┘    └──────────────────┘

Study this concept interactively in the AZ-104 app →

Azure DDoS Protection

Explanation

Azure DDoS Protection provides enhanced DDoS mitigation capabilities for applications deployed in virtual networks, offering always-on monitoring, automatic attack mitigation, and detailed attack analytics.

Examples

Protecting web applications from volumetric attacks, securing public IP addresses, monitoring attack patterns, implementing application-layer protection with Web Application Firewall.

Enterprise Use Case

Organizations use DDoS Protection for mission-critical applications, compliance requirements, protecting revenue-generating services, and ensuring application availability during attacks.

Diagram

DDoS Protection:
Malicious Traffic ✗ ←── [DDoS Protection] ←── Internet
                            │
Legitimate Traffic ✓ ───────┴───→ [Protected Resource]
                                        │
                              [Public IP Address]
                                        │
                                [Virtual Network]

Study this concept interactively in the AZ-104 app →

Azure Load Balancer

Explanation

Azure Load Balancer distributes network traffic across multiple virtual machines, providing high availability and network performance for applications with Layer 4 (TCP/UDP) load balancing capabilities.

Examples

Distributing web traffic across multiple web servers, load balancing database connections, implementing high availability for applications, creating internal load balancing.

Enterprise Use Case

IT teams use Load Balancer for application availability, performance optimization, scaling applications horizontally, and eliminating single points of failure.

Diagram

Azure Load Balancer:
    Traffic Input
         ↓
[Load Balancer Rules]
         ↓
┌────────┼────────┐
│        │        │
VM1     VM2     VM3
↓       ↓       ↓
App     App     App

Study this concept interactively in the AZ-104 app →

Public Load Balancer

Explanation

Public Load Balancer provides internet-facing load balancing with public IP addresses, enabling external users to access applications distributed across multiple backend VMs or instances.

Examples

Load balancing web applications from internet, distributing API traffic, implementing high availability web services, creating internet-facing application tiers.

Enterprise Use Case

Organizations use public load balancers for customer-facing applications, web services, APIs, and any application requiring internet accessibility with high availability.

Diagram

Public Load Balancer:
Internet Users
      ↓
[Public IP: 40.1.2.3]
      ↓
[Public Load Balancer]
      ↓
┌─────┼─────┐
│     │     │
VM1   VM2   VM3
(Private IPs)

Study this concept interactively in the AZ-104 app →

Internal Load Balancer

Explanation

Internal Load Balancer provides load balancing within virtual networks using private IP addresses, enabling traffic distribution for internal applications without internet exposure.

Examples

Load balancing database tier traffic, distributing internal API requests, creating high availability for internal services, implementing multi-tier application architectures.

Enterprise Use Case

Organizations use internal load balancers for database clustering, internal service distribution, application tier separation, and maintaining security through private networking.

Diagram

Internal Load Balancer:
┌─────────────────────────┐
│     Virtual Network     │
│                         │
│ [Web Tier VMs]         │
│        ↓               │
│ [Internal LB: 10.0.2.4]│
│        ↓               │
│ [Database VMs]         │
│  10.0.2.10, 10.0.2.11  │
└─────────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Traffic Manager

Explanation

Azure Traffic Manager is a DNS-based traffic load balancer that distributes user traffic across multiple Azure regions or external endpoints based on routing methods and endpoint health.

Examples

Implementing global load balancing, directing users to nearest datacenter, configuring failover between regions, optimizing performance based on geography.

Enterprise Use Case

Organizations use Traffic Manager for global applications, disaster recovery, performance optimization, and distributing users across multiple regions or cloud providers.

Diagram

Traffic Manager:
Global Users ←→ [Traffic Manager] ←→ [DNS Resolution]
                      │
        ┌─────────────┼─────────────┐
        │             │             │
   [East US]     [West US]    [Europe]
   Endpoint      Endpoint     Endpoint

Study this concept interactively in the AZ-104 app →

Priority Routing Method

Explanation

Priority routing method in Traffic Manager directs all traffic to a primary endpoint, automatically failing over to backup endpoints when the primary becomes unavailable, implementing active-passive failover.

Examples

Configuring primary site with backup site failover, implementing disaster recovery scenarios, creating active-passive configurations, maintaining business continuity.

Enterprise Use Case

Organizations use priority routing for disaster recovery, cost optimization with primary-secondary setups, and applications requiring active-passive architecture.

Diagram

Priority Routing:
Traffic Manager
      ↓
Priority 1: [Primary Site] ←── All Traffic (if healthy)
Priority 2: [Backup Site]  ←── Failover Traffic
Priority 3: [DR Site]      ←── Emergency Failover

Study this concept interactively in the AZ-104 app →

Performance Routing Method

Explanation

Performance routing method directs users to the endpoint with the lowest network latency, automatically measuring and selecting the best-performing endpoint for each user location.

Examples

Routing users to nearest datacenter, optimizing application response times, reducing latency for global applications, improving user experience.

Enterprise Use Case

Organizations use performance routing for global applications, latency-sensitive workloads, improved user experience, and optimizing application performance across regions.

Diagram

Performance Routing:
User Location → [Traffic Manager] → [Latency Test]
                      ↓
├─ US User     → US Datacenter    (20ms) ✓
├─ EU User     → Europe Datacenter (15ms) ✓  
└─ Asia User   → Asia Datacenter   (30ms) ✓

Study this concept interactively in the AZ-104 app →

Geographic Routing Method

Explanation

Geographic routing method directs users to specific endpoints based on their geographic location, enabling compliance with data residency requirements and localized content delivery.

Examples

Routing EU users to EU datacenters for GDPR compliance, directing users to localized content, implementing geographic restrictions, supporting regional applications.

Enterprise Use Case

Organizations use geographic routing for regulatory compliance, data sovereignty, localized services, and meeting geographic restrictions or licensing requirements.

Diagram

Geographic Routing:
┌─────────────────────────────────┐
│        Traffic Manager          │
├─────────────────────────────────┤
│ Europe Users    → EU Endpoint   │
│ US Users        → US Endpoint   │
│ Asia Users      → Asia Endpoint │
│ Default         → Global        │
└─────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Monitor On-Premises Connectivity

Explanation

Monitoring on-premises connectivity involves tracking the health, performance, and availability of connections between Azure and on-premises networks through VPN gateways, ExpressRoute, and hybrid connections.

Examples

Setting up VPN gateway monitoring, tracking ExpressRoute circuit health, monitoring hybrid connection performance, alerting on connectivity failures.

Enterprise Use Case

IT operations teams monitor on-premises connectivity to ensure business continuity, troubleshoot hybrid network issues, maintain SLA compliance, and proactively address connectivity problems.

Diagram

Connectivity Monitoring:
┌─────────────────┐    ┌─────────────────┐
│   On-Premises   │←──→│     Azure       │
│                 │    │                 │
│ [Monitoring     │    │ [Connection     │
│  Agent]         │    │  Monitor]       │
│                 │    │                 │
│ [Health Status] │    │ [Metrics &      │
│ [Performance]   │    │  Alerts]        │
└─────────────────┘    └─────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Monitor for Networks

Explanation

Azure Monitor for Networks provides comprehensive monitoring and diagnostics for Azure networking resources with unified visibility into network health, performance, and connectivity across hybrid environments.

Examples

Monitoring VNet connectivity, tracking network performance metrics, setting up network health alerts, visualizing network topology and dependencies.

Enterprise Use Case

Network operations teams use Azure Monitor for Networks for centralized network monitoring, proactive issue detection, performance optimization, and maintaining network reliability.

Diagram

Azure Monitor for Networks:
┌─────────────────────────────────┐
│      Network Monitoring         │
├─────────────────────────────────┤
│ VNets        │ [Health Status]  │
│ Gateways     │ [Performance]    │
│ Load Balancers│ [Connectivity]   │
│ Firewalls    │ [Alerts]         │
│ NSGs         │ [Dashboards]     │
└─────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Network Watcher

Explanation

Azure Network Watcher is a regional service providing network diagnostic and visualization tools for monitoring, diagnosing, and gaining insights into network performance and health in Azure.

Examples

Using IP flow verify for troubleshooting, capturing network packets, visualizing network topology, monitoring connections between resources.

Enterprise Use Case

Network administrators use Network Watcher for troubleshooting connectivity issues, security auditing, compliance verification, and understanding network behavior.

Diagram

Network Watcher Tools:
┌─────────────────────────────────┐
│        Network Watcher          │
├─────────────────────────────────┤
│ IP Flow Verify  │ [NSG Rules]   │
│ Packet Capture  │ [Traffic]     │
│ Topology View   │ [Resources]   │
│ Connection      │ [Monitoring]  │
│ Troubleshoot    │ [Diagnostics] │
└─────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Network Topology View

Explanation

Network Topology View in Network Watcher provides visual representation of Azure network resources and their relationships, dependencies, and connectivity within virtual networks.

Examples

Visualizing VNet resource relationships, understanding network dependencies, documenting network architecture, identifying connectivity paths.

Enterprise Use Case

Network architects use topology view for network documentation, troubleshooting, planning changes, and understanding complex network relationships.

Diagram

Network Topology:
┌─────────────────────────────────┐
│         Virtual Network         │
│                                 │
│ ┌─────────┐    ┌─────────────┐  │
│ │  VM 1   │────│   Load      │  │
│ └─────────┘    │  Balancer   │  │
│ ┌─────────┐    │             │  │
│ │  VM 2   │────│             │  │
│ └─────────┘    └─────────────┘  │
└─────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

IP Flow Verify

Explanation

IP Flow Verify tests whether a packet is allowed or denied to or from a virtual machine, helping troubleshoot connectivity issues by checking NSG rules and identifying blocking rules.

Examples

Testing if HTTP traffic is allowed to a VM, verifying SSH access permissions, troubleshooting blocked connections, validating NSG rule configurations.

Enterprise Use Case

Network troubleshooters use IP Flow Verify to quickly identify why connections fail, validate security rules, debug network access issues, and verify NSG configurations.

Diagram

IP Flow Verify:
[Source IP] ──→ [IP Flow Verify] ──→ [Destination IP]
    │                   │                    │
[Port/Protocol]   [NSG Rule Check]      [VM/Resource]
    │                   │                    │
[Test Result]     [Allow/Deny]          [Rule Details]

Study this concept interactively in the AZ-104 app →

Troubleshoot External Networking

Explanation

External networking troubleshooting involves diagnosing connectivity issues between Azure resources and external networks including internet, on-premises, and third-party services.

Examples

Diagnosing internet connectivity failures, troubleshooting VPN connection issues, resolving DNS resolution problems, fixing routing configuration errors.

Enterprise Use Case

Support teams troubleshoot external networking to resolve customer connectivity issues, maintain service availability, ensure hybrid connectivity, and meet SLA requirements.

Diagram

External Network Troubleshooting:
Azure Resource ←─?─→ External Network
      │                    │
[Connectivity Test]  [Internet/On-Prem]
      │                    │
[DNS Resolution]     [Routing Check]
      │                    │
[Firewall Rules]     [Third-party]

Study this concept interactively in the AZ-104 app →

Troubleshoot VNet Connectivity

Explanation

VNet connectivity troubleshooting focuses on diagnosing communication issues between resources within virtual networks, including subnet communication, peering issues, and internal routing problems.

Examples

Resolving VM-to-VM communication failures, fixing subnet routing issues, troubleshooting VNet peering problems, diagnosing NSG blocking internal traffic.

Enterprise Use Case

Network administrators troubleshoot VNet connectivity to ensure internal application communication, resolve service dependencies, maintain application performance, and fix network segmentation issues.

Diagram

VNet Connectivity Troubleshooting:
┌─────────────────────────────┐
│        Virtual Network      │
│                             │
│ VM A ←─?─→ VM B            │
│   │         │               │
│ [NSG]    [NSG]             │
│   │         │               │
│ [Route]  [Route]           │
│           │                 │
│ [Connectivity Test]        │
└─────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure Portal - Networking Management

Explanation

Azure Portal provides a graphical interface for managing all networking resources including VNets, NSGs, Load Balancers, and VPN Gateways with visual topology views and intuitive wizards.

Examples

Creating VNets through guided wizards, configuring NSG rules with visual rule builder, managing peering connections with network topology view, setting up load balancers with backend pool visualization.

Enterprise Use Case

IT administrators use Azure Portal for initial setup, visual troubleshooting, training new team members, and managing complex configurations that benefit from graphical interfaces.

Diagram

Azure Portal Networking Interface:
┌─────────────────────────────────────────────────────────────────┐
│                    🌐 Azure Portal                              │
├─────────────────────────────────────────────────────────────────┤
│ 📊 Network Dashboard          🔧 Quick Actions                  │
│ ├─ Virtual Networks (15)      ├─ Create VNet                   │
│ ├─ Network Security (8)       ├─ Add NSG Rule                  │
│ ├─ Load Balancers (3)         ├─ Configure Peering             │
│ └─ VPN Gateways (2)          └─ Deploy Load Balancer          │
├─────────────────────────────────────────────────────────────────┤
│           🗺️  Network Topology Visualization                    │
│    ┌─────────┐    ┌─────────┐    ┌─────────┐                   │
│    │ VNet-A  ├────┤ Gateway ├────┤ VNet-B  │                   │
│    └─────────┘    └─────────┘    └─────────┘                   │
└─────────────────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

Azure CLI - Networking Commands

Explanation

Azure CLI provides cross-platform command-line tools for networking automation with consistent syntax, scriptable operations, and integration with DevOps pipelines for infrastructure as code.

Examples

az network vnet create for VNet provisioning, az network nsg rule create for security rules, az network vnet-gateway create for VPN setup, az network lb create for load balancer deployment.

Enterprise Use Case

DevOps teams use Azure CLI for automated deployments, Infrastructure as Code, CI/CD pipelines, and scripting repetitive networking tasks across multiple environments.

Diagram

Azure CLI Networking Commands:
╔══════════════════════════════════════════════════════════════════╗
║                      💻 Azure CLI Terminal                       ║
╠══════════════════════════════════════════════════════════════════╣
║ 🚀 Core Networking Commands:                                    ║
║ ┌────────────────────────────────────────────────────────────┐   ║
║ │ # Virtual Networks                                         │   ║
║ │ az network vnet create --name MyVNet --address-prefixes    │   ║
║ │ az network subnet create --vnet-name MyVNet --name WebTier │   ║
║ │                                                            │   ║
║ │ # Network Security Groups                                  │   ║
║ │ az network nsg create --name MyNSG                        │   ║
║ │ az network nsg rule create --nsg-name MyNSG --name HTTP   │   ║
║ │                                                            │   ║
║ │ # Load Balancing                                           │   ║
║ │ az network lb create --name MyLB --sku Standard           │   ║
║ │ az network lb probe create --lb-name MyLB --name HealthCk  │   ║
║ └────────────────────────────────────────────────────────────┘   ║
║ 📋 Output: JSON formatted results for automation integration     ║
╚══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

Azure PowerShell - Networking Cmdlets

Explanation

Azure PowerShell provides object-oriented cmdlets for networking management with strong Windows integration, pipeline support, and rich object manipulation for complex automation scenarios.

Examples

New-AzVirtualNetwork for VNet creation, New-AzNetworkSecurityGroup for NSG setup, New-AzLoadBalancer for load balancer deployment, Set-AzVirtualNetworkPeering for peering configuration.

Enterprise Use Case

Windows administrators use PowerShell for advanced scripting, bulk operations, integration with existing PowerShell workflows, and leveraging .NET object capabilities.

Diagram

Azure PowerShell Networking Cmdlets:
╔══════════════════════════════════════════════════════════════════╗
║                    🔷 Azure PowerShell                           ║
╠══════════════════════════════════════════════════════════════════╣
║ 🛠️  Networking Cmdlet Categories:                                ║
║                                                                  ║
║ 📊 Virtual Network Management:                                   ║
║ ┌──────────────────────────────────────────────────────────────┐ ║
║ │ New-AzVirtualNetwork -Name "VNet-Prod" -AddressPrefix       │ ║
║ │ Get-AzVirtualNetwork | Where-Object {$_.Name -like "VNet*"} │ ║
║ │ Set-AzVirtualNetwork -VirtualNetwork $vnet                  │ ║
║ └──────────────────────────────────────────────────────────────┘ ║
║                                                                  ║
║ 🔐 Security & Access Control:                                    ║
║ ┌──────────────────────────────────────────────────────────────┐ ║
║ │ New-AzNetworkSecurityGroup -Name "NSG-Web"                  │ ║
║ │ Add-AzNetworkSecurityRuleConfig -Name "Allow-HTTP"          │ ║
║ │ $nsg | Set-AzNetworkSecurityGroup                           │ ║
║ └──────────────────────────────────────────────────────────────┘ ║
║                                                                  ║
║ ⚖️ Load Balancing & Traffic Management:                          ║
║ ┌──────────────────────────────────────────────────────────────┐ ║
║ │ $lb = New-AzLoadBalancer -Name "LB-Web" -Sku "Standard"     │ ║
║ │ $lb | Add-AzLoadBalancerBackendAddressPoolConfig             │ ║
║ └──────────────────────────────────────────────────────────────┘ ║
╚══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

Portal - VNet Peering Configuration

Explanation

Azure Portal provides an intuitive interface for configuring VNet peering with visual network topology, guided wizards, and real-time validation of peering settings and connectivity requirements.

Examples

Creating bidirectional peering through guided wizards, visualizing peering topology with interactive network maps, configuring gateway transit settings with checkbox options, monitoring peering status with dashboard views.

Enterprise Use Case

Network architects use Portal for initial peering setup, troubleshooting connectivity issues with visual tools, demonstrating network topology to stakeholders, and training team members on peering concepts.

Diagram

Portal VNet Peering Configuration:
┌─────────────────────────────────────────────────────────────────────┐
│                🌐 Azure Portal - VNet Peering                       │
├─────────────────────────────────────────────────────────────────────┤
│ 📋 Peering Configuration Wizard:                                   │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Step 1: Select Source VNet    [VNet-Production ▼]             │ │
│ │ Step 2: Select Target VNet    [VNet-Development ▼]            │ │
│ │ Step 3: Peering Settings                                       │ │
│ │   ☑️ Allow virtual network access                              │ │
│ │   ☑️ Allow forwarded traffic                                   │ │
│ │   ☐ Allow gateway transit                                      │ │
│ │   ☐ Use remote gateways                                        │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│                                                                     │
│ 🗺️  Network Topology Preview:                                       │
│     ┌─────────────┐  ✅ Peering  ┌─────────────┐                   │
│     │ VNet-Prod   ├──────────────┤ VNet-Dev    │                   │
│     │ 10.0.0.0/16 │              │ 10.1.0.0/16 │                   │
│     └─────────────┘              └─────────────┘                   │
└─────────────────────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

CLI - VNet Peering Automation

Explanation

Azure CLI enables automated VNet peering configuration through scriptable commands, supporting bidirectional peering setup, bulk operations, and integration with Infrastructure as Code workflows.

Examples

az network vnet peering create for automated peering, scripting bidirectional connections with bash loops, template-based peering deployment, pipeline integration for multi-environment setup.

Enterprise Use Case

DevOps engineers use CLI for automated network provisioning, consistent multi-environment deployments, Infrastructure as Code implementations, and scripted disaster recovery setups.

Diagram

Azure CLI VNet Peering Automation:
╔═══════════════════════════════════════════════════════════════════╗
║                    💻 Automated Peering Script                    ║
╠═══════════════════════════════════════════════════════════════════╣
║ 🔧 Bidirectional Peering Setup:                                  ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ #!/bin/bash                                                 │   ║
║ │ # Create peering from VNet-A to VNet-B                     │   ║
║ │ az network vnet peering create \                           │   ║
║ │   --name "VNet-A-to-VNet-B" \                             │   ║
║ │   --resource-group "RG-Network" \                          │   ║
║ │   --vnet-name "VNet-Production" \                          │   ║
║ │   --remote-vnet "/subscriptions/.../VNet-Development" \    │   ║
║ │   --allow-vnet-access --allow-forwarded-traffic            │   ║
║ │                                                             │   ║
║ │ # Create reverse peering from VNet-B to VNet-A              │   ║
║ │ az network vnet peering create \                           │   ║
║ │   --name "VNet-B-to-VNet-A" \                             │   ║
║ │   --resource-group "RG-Network" \                          │   ║
║ │   --vnet-name "VNet-Development" \                         │   ║
║ │   --remote-vnet "/subscriptions/.../VNet-Production"       │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
║                                                                   ║
║ 📊 Validation & Monitoring:                                       ║
║ └─ az network vnet peering list --output table                    ║
║ └─ az network vnet peering show --name "Peering-Name"             ║
╚═══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

PowerShell - VNet Peering Management

Explanation

Azure PowerShell provides object-oriented VNet peering management with pipeline support, advanced filtering capabilities, and integration with existing Windows automation workflows.

Examples

New-AzVirtualNetworkPeering for peering creation, Get-AzVirtualNetworkPeering with Where-Object filtering, Set-AzVirtualNetworkPeering for configuration updates, bulk operations with ForEach-Object.

Enterprise Use Case

Windows administrators leverage PowerShell for complex peering scenarios, integration with existing scripts, advanced reporting with custom objects, and orchestration with other Azure services.

Diagram

Azure PowerShell VNet Peering Management:
╔═══════════════════════════════════════════════════════════════════╗
║                  🔷 PowerShell Peering Workflow                   ║
╠═══════════════════════════════════════════════════════════════════╣
║ 🚀 Pipeline-Based Peering Operations:                            ║
║                                                                   ║
║ 📝 Create and Configure Peering:                                 ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ # Get VNet objects                                          │   ║
║ │ $vnetProd = Get-AzVirtualNetwork -Name "VNet-Production"    │   ║
║ │ $vnetDev = Get-AzVirtualNetwork -Name "VNet-Development"    │   ║
║ │                                                             │   ║
║ │ # Create peering with object pipeline                       │   ║
║ │ $peeringConfig = New-Object Microsoft.Azure.Commands...     │   ║
║ │ $peeringConfig.AllowVirtualNetworkAccess = $true            │   ║
║ │ $peeringConfig.AllowForwardedTraffic = $true                │   ║
║ │                                                             │   ║
║ │ # Deploy peering configuration                              │   ║
║ │ Add-AzVirtualNetworkPeering -VirtualNetwork $vnetProd \    │   ║
║ │     -Name "Prod-to-Dev" -RemoteVirtualNetwork $vnetDev     │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
║                                                                   ║
║ 📊 Advanced Querying & Reporting:                                ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ Get-AzVirtualNetwork | ForEach-Object {                     │   ║
║ │     Get-AzVirtualNetworkPeering -VirtualNetwork $_          │   ║
║ │ } | Where-Object {$_.PeeringState -eq "Connected"} |        │   ║
║ │ Select-Object Name, PeeringState, RemoteVirtualNetwork      │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
╚═══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

Portal - Network Security Group Management

Explanation

Azure Portal provides comprehensive NSG management with visual rule builder, traffic flow visualization, and security recommendations to simplify complex network security configurations.

Examples

Creating security rules with graphical interface, visualizing traffic flows with network topology, using security recommendations for best practices, managing rule priorities with drag-and-drop interface.

Enterprise Use Case

Security administrators use Portal for visual security policy design, compliance reporting with built-in dashboards, collaborative rule review sessions, and security training with visual examples.

Diagram

Portal Network Security Group Management:
┌─────────────────────────────────────────────────────────────────────┐
│              🌐 Azure Portal - Network Security Groups              │
├─────────────────────────────────────────────────────────────────────┤
│ 🔐 Security Rules Configuration:                                   │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Rule Builder Interface:                                         │ │
│ │ ├─ Priority: [1000        ] ⚠️ Lower = Higher Priority         │ │
│ │ ├─ Name:     [Allow-HTTP   ] 📝 Descriptive Rule Name          │ │
│ │ ├─ Action:   [Allow    ▼]   ✅ Allow/Deny Selection            │ │
│ │ ├─ Source:   [Any      ▼]   🌍 Source IP Configuration         │ │
│ │ ├─ Port:     [80       ▼]   🔌 Destination Port Range          │ │
│ │ └─ Protocol: [TCP     ▼]   🔄 TCP/UDP/Any Protocol             │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│                                                                     │
│ 📊 Traffic Flow Visualization:                                     │
│     🌐 Internet ──→ NSG ──→ 🖥️  Virtual Machine                   │
│           │         │         │                                   │
│        [Rules]   [Filter]  [Application]                         │
│           │         │         │                                   │
│       [Allow/Deny] [Log] [Monitor]                               │
│                                                                     │
│ 🎯 Security Recommendations:                                       │
│ ├─ ⚠️  Close unused ports (22, 3389)                              │
│ ├─ ✅ Enable NSG Flow Logs                                        │
│ └─ 🔍 Review overly permissive rules                              │
└─────────────────────────────────────────────────────────────────────┘

Study this concept interactively in the AZ-104 app →

CLI - Network Security Group Automation

Explanation

Azure CLI enables programmatic NSG management with scriptable security rule deployment, bulk operations, and integration with DevSecOps pipelines for consistent security policy enforcement.

Examples

az network nsg create for NSG provisioning, az network nsg rule create for automated rule deployment, scripted security baseline implementation, pipeline-based security compliance enforcement.

Enterprise Use Case

DevSecOps teams use CLI for automated security policy deployment, Infrastructure as Code security implementation, compliance automation, and consistent security rule management across environments.

Diagram

Azure CLI Network Security Group Automation:
╔═══════════════════════════════════════════════════════════════════╗
║                   💻 CLI Security Automation                      ║
╠═══════════════════════════════════════════════════════════════════╣
║ 🔒 Automated Security Rule Deployment:                           ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ #!/bin/bash                                                 │   ║
║ │ # Create NSG for Web Tier                                   │   ║
║ │ az network nsg create \                                     │   ║
║ │   --name "NSG-WebTier" \                                   │   ║
║ │   --resource-group "RG-Network" \                          │   ║
║ │   --location "eastus"                                       │   ║
║ │                                                             │   ║
║ │ # Deploy security rules from template                       │   ║
║ │ az network nsg rule create \                               │   ║
║ │   --nsg-name "NSG-WebTier" \                              │   ║
║ │   --name "Allow-HTTP" \                                    │   ║
║ │   --priority 1000 \                                        │   ║
║ │   --source-address-prefixes "*" \                          │   ║
║ │   --destination-port-ranges "80" "443" \                   │   ║
║ │   --access "Allow" --protocol "Tcp"                         │   ║
║ │                                                             │   ║
║ │ # Apply NSG to subnet                                       │   ║
║ │ az network vnet subnet update \                            │   ║
║ │   --vnet-name "VNet-Production" \                          │   ║
║ │   --name "SubNet-Web" \                                    │   ║
║ │   --network-security-group "NSG-WebTier"                    │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
║                                                                   ║
║ 📋 Compliance Validation:                                         ║
║ └─ az network nsg rule list --nsg-name "NSG-WebTier" --query     ║
║    "[?access=='Allow' && direction=='Inbound'].{Name:name,...}"   ║
╚═══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

PowerShell - Network Security Group Operations

Explanation

Azure PowerShell provides advanced NSG management with object-oriented security rule manipulation, complex filtering operations, and seamless integration with Windows security frameworks.

Examples

New-AzNetworkSecurityGroup for NSG creation, Add-AzNetworkSecurityRuleConfig with pipeline operations, Get-AzNetworkSecurityGroup with complex Where-Object filtering, bulk rule modifications with ForEach-Object.

Enterprise Use Case

Security architects use PowerShell for complex security policy orchestration, integration with Active Directory security groups, advanced reporting with custom objects, and Windows-centric security automation.

Diagram

Azure PowerShell Network Security Group Operations:
╔═══════════════════════════════════════════════════════════════════╗
║                 🔷 PowerShell Security Management                 ║
╠═══════════════════════════════════════════════════════════════════╣
║ 🛡️  Object-Oriented Security Configuration:                      ║
║                                                                   ║
║ 📝 NSG Creation and Rule Management:                              ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ # Create NSG with object pipeline                           │   ║
║ │ $nsg = New-AzNetworkSecurityGroup \                        │   ║
║ │     -Name "NSG-WebTier" \                                  │   ║
║ │     -ResourceGroupName "RG-Network" \                      │   ║
║ │     -Location "East US"                                     │   ║
║ │                                                             │   ║
║ │ # Add security rules with object manipulation               │   ║
║ │ $nsg | Add-AzNetworkSecurityRuleConfig \                   │   ║
║ │     -Name "Allow-HTTP" \                                   │   ║
║ │     -Access "Allow" \                                      │   ║
║ │     -Protocol "Tcp" \                                      │   ║
║ │     -Direction "Inbound" \                                 │   ║
║ │     -Priority 1000 \                                       │   ║
║ │     -SourceAddressPrefix "*" \                             │   ║
║ │     -DestinationPortRange @("80","443")                     │   ║
║ │                                                             │   ║
║ │ # Apply configuration                                       │   ║
║ │ $nsg | Set-AzNetworkSecurityGroup                           │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
║                                                                   ║
║ 📊 Advanced Analysis & Reporting:                                ║
║ ┌─────────────────────────────────────────────────────────────┐   ║
║ │ # Security compliance analysis                              │   ║
║ │ Get-AzNetworkSecurityGroup | ForEach-Object {               │   ║
║ │     $_.SecurityRules | Where-Object {                       │   ║
║ │         $_.Access -eq "Allow" -and                          │   ║
║ │         $_.SourceAddressPrefix -eq "*" -and                 │   ║
║ │         $_.DestinationPortRange -contains "22"              │   ║
║ │     }                                                       │   ║
║ │ } | Select-Object Name, Priority, Protocol                  │   ║
║ └─────────────────────────────────────────────────────────────┘   ║
╚═══════════════════════════════════════════════════════════════════╝

Study this concept interactively in the AZ-104 app →

Ready to study interactively?

The Tech Cert Prep AZ-104 app gives you practice quizzes, bookmarking, a study timer, progress tracking, and search across all 269+ concepts.

Open AZ-104 Study App — Free

No account required. Start studying immediately.